Network Security: Routing security

reekydizzyNetworking and Communications

Oct 28, 2013 (3 years and 11 months ago)

54 views

Network Security:

Routing security

Aapo Kalliola

T
-
110.5241 Network security

Aalto University, Nov
-
Dec 2012

2

Outline

1.
Structure of internet

2.
Routing basics

3.
Security issues

4.
Attack

5.
Solutions (?)

6.
Censorship and avoidance

7.
Case studies




3

Couldn’t routing be trivial?


Explosive growth is taxing current Internet
routing mechanisms. New sites continue to join
the Internet… In some sense, the Internet is a
victim of its own success; many routing protocols
are being used in environments for which they
had not been designed.”

-

Thomas Narten, ”Internet routing”, 1989

Routing basics

4

5

Internet (?)

6

Internet, late 1980s

Hosts, networks and gateways

N1

N2

N4

H1

H3

H3

G5

G6

G2

G4

G3

G1

N3

N5

7

Internet, 1990s

Hierarchical structure

NAP

NAP

ISP

National

backbone

Regional

access

providers

Local

access

providers

Cust.

IP

networks

8

Internet 2000s

Rise of hyper giants

8

IXP

IXP

ISP

ISP

National
backbone

Google, CDNs etc.

Global core

Regional /

Tier 2

providers

Cust.

IP

networks

IXP

9

Internet 2010s

Rise of IXPs

9

9

ISP

ISP

National
backbone

Google, CDNs etc.

Huge traffic

Cust.

IP

networks

IXP

IXP

IXP

10

What routing where?

Interior Gateway Protocols (IGP) within an Autonomous
System (AS)

Exterior Gateway Protocols (EGP) between AS

EGP can also refer to the precursor of BGP

Border Gateway Protocol (BGP) is, in practise, the only EGP in use

IXP

ISP




Customer

network

End
host

Back
-
bone

IGP

IGP

IGP

IGP /

BGP

BGP

11

Routing in and between Autonomous
Systems (
Ases
)


Tens of thousands of ASes


Internally motivated by efficiency


Externally motivated by

Link costs

Transmission capacity

Load

Policy decisions




12

Interior gateway protocols

IGPs exchange routing information within an AS


Link
-
state protocols maintain information about the
whole network topology

Open Shortest Path First (OSPF)

Intermediate System to Intermediate System (IS
-
IS)

Distance
-
vector protocols converge over time to
common understanding of paths

RIP / RIPv2

IGRP

Hybrid protocols have features from both

E
-
IGRP


13

Border gateway protocol

BGP is the procol for making routing decisions
between ASes


Routing decisions are not made by automation but
rather by commercial interests

Two main types of relations:

Peering


exchanging traffic freely between peers

Transit


smaller AS buying data transit from larger AS

14

BGP

Design goals

Scalability for connecting AS on internet scale

Enabling policy decisions such as filtering route
announcements

Must work in a distributed competitive environment (vs.
early centralized internet)


Two types of BGP sessions

eBGP for routers from different ASes


Route information exchange between ASes

iBGP for routers within AS


Disseminating information about learned external routes
within AS


15

How routes are distributed

AS may be in three relations to another AS:

Peer

Customer

Provider

Typical model, not always so:

Routes from customers are re
-
distributed to customers,
peers and providers

Peer
-
learned routes are re
-
distributed to customers but
not to other peers nor to providers

Provider
-
learned routes are re
-
distributed to customers,
but not to other providers, nor to any peers


16

BGP (cont.)

Data plane in green: host to host traffic

Control plane in blue: BGP route information

Both BGP and data flows need to work in reverse for two
-
way communication

Reverse path doesn’t need to be the same, though


H1

H2

AS5

AS6

AS7

AS4

AS1

AS2

17

BGP leak/hijack

Another AS claims to have a better route to a certain network

Reverse direction doesn’t need to be hijacked unless the attacker
wants to do a MitM attack

H1

H2

AS5

AS6

AS7

AS4

AS1

AS2

H3

18

How an AS is created

Apply for an AS number from local Regional Internet
Registry

Get a connection to an IXP

Could also just use a normal ISP
-
> waste of AS numbers

Get transit or peering from another AS

-
> you’re on!

Security issues in routing

19

20

Attacks on BGP


outside

Link cutting

Physical

Logical

DoS

Attacks using data plane

Clever use of data plane DDoS to cut BGP connections



21

CXPST

CXPST is an extension of previous low
-
rate TCP
attack work on DDoSing big routers

Ingredients:

medium botnet (250000 bots)

Internet structure recoinnassance

Good timing

Overwhelm one router at a time

Router drops its BGP connections

When the router is re
-
establishing BGP connections,
target the neighbours

Could theoretically take down large parts of internet


22

Attacks on BGP


inside

Attacks on control plane

Route leaks

Route hijacks

Man
-
in
-
the
-
Middle


Tricky but possible

Possible to find attacker AS, though not trivial

23

How to get inside?

Set up a throw
-
away AS

Use false information and stolen credit cards

Establish transit/peering

No need to have many connections

Advertise malicious routes

Profit!!

(or whatever you want to do with the traffic you get)

Leave the AS untended

24

Route leaking / hijacking

Route leaking

Accidental by definition

AS_x has multiple links to other Ases

AS_x gets complete internet route announcement set from its provider

AS_x accidentally announces the set through another AS link

This wrong annoucement gets propagated

-
> all traffic from affected ASes goes to AS_x


Route hijacking

Malicious by definition

AS_x announces a very good path to the target network

ASes receiving the annoucement prefer this path and route directed to
target to AS_x

-
> traffic directed to attack target from affected ASes gets intercepted by
AS_x


Could be indistinguishable from each other

25

BGP Man
-
in
-
the
-
Middle

Traceroute

& plan reply path to target

Note the ASN’s seen towards target from
traceroute

&
bgp

table on your router

Apply as
-
path
prepends

naming each of the ASN’s
intended for reply path

Set up static routes towards the next hop of the first
AS in reply path

-
> done

Attacks

27

Traffic snooping

Comprehensive traffic recording?

This might already be going on without need for BGP
attacks

Popularization of IXPs?


A few people operate the SIX with a few Cisco switches in
a rack. Essentially every major carrier and service provider
now connects to the SIX..”

Not really indicative of any real problem with IXPs, just
that there are many different parties involved in getting a
data packet from source to destination

28

Traffic spoofing

MITM for all traffic

Can also modify, possibly without detection

Total interception

Faked replies

Censorship purposes

Dropping / reseting / redirecting replies

29

Other

Spamming (fly
-
by)

Capture a network that hasn’t been used for malicious activity

Send spam from the network

Network gets blocked

Repeat

DoS

Capture the target network

Drop the incoming traffic

Target impersonation

Capture the target network

Reply to incoming traffic with valid responses of your own

Attacking the routers themselves

Default passwords

30

How to react?

Analysis of what is happening

Where the attack originates

Malicious vs. Accidental

Malicious attacks difficult to stop


Must get several ASes to cooperate in filtering out the
offending route announcements

Accidents fixed by informing the origin of the erronous
traffic
-
> fixes in minutes, usually

After origin is fixed the global routing state corrects
itself

Complete correction might take a long time: hours/days

Solutions (?)

31

32

Sanity checks

Maximum number of routes accepted from a
neighbouring AS

Helps against accidental ”all
-
of
-
internet here” route leaks

Not accepting too specific routes

/22 probably ok, /32 suspicious

Cutting BGP sessions that clearly advertise erronous
routes

Might cause even worse problems

33

Origin authentication

An AS gets a crypto certificate from its RIR
containing its network and AS number

It’s possibly to verify AS identity using Resource
Public Key Infrastructure (RPKI)


Additional overhead

Many routers don’t support RPKI

34

Secure Origin BGP

Certificate
-
based system, backed by Cisco

Options for transporting certificates by various
means

Even on data plane


Tweaking routes by accepting some and denying
some possible

35

Secure BGP

Certificate
-
based system, pretty much similar to
soBGP

Requires PKI

36

Data
-
plane verification

Requires functionality on both control and data
plane

In addition to doing normal BGP operation check for
data plane reachability problems

Works for blackholing, accidents and stale routes

Does not require PKI infrastructure


Overhead!

Censorship and avoidance

37

38

Great firewall of China

Does

snooping

filtering

DNS injection

Also tries to prevent accessing foreign proxies for
free internet access

Unwittingly also affects also traffic transiting
through China

For instance German subnets have received censored DNS
replies

Hopefully fixed since published fall 2012

39

Decoy Routing

Setup routers with special functionality randomly
around the internet

Censored end host apparently try to access allowed
content

A special router is on path to allowed content

The special router recognizes the end host are
routes request to censored content

Censored content origin is faked to look like allowed
content origin

Censored end host receives the censored content


40

Problems in previous proposal


The special routers need to be on the traffic path

Number of routers required already quite high ..

.. especially if the censor has lots of connections

If the censor is capable of modifying routing

Interconnectivity way too high to deploy enough routers

Nation
-
wide censorship usually is routing
-
capable

More case studies

41

42

AS 7007 incident, 1997

..where the BGP worries started

AS 7007 started leaking a large part of complete
route table

-
> Much of traffic in internet blackholed

Took priority in BGP due to chopping announced
networks to /24 blocks

BGP cleanup took quite a while

43

ICANN DNS root server L, 2008

ICANN moved root server L to a new IP address

Regardless, the old IP kept responding to DNS
requests


44

Pakistan blocking Youtube, 2008

Country
-
internal blocking by leaked to the whole
internet

45

China Telecom 2010

China “
leaked”routes

and captures a significant
portion of internet traffic for some minutes



46

Australia outage, 2012

30 mins

Filtering failure leading to route leakage leading to
BGP session kill due to maximum prefix limiting

47

Summary

Logical structure of internet is a function of
commercial interests and geography

Internet routing is largely based on trust and correct
operation

Don’t blindly trust internet routing

Good practises help!

http://tools.ietf.org/html/draft
-
jdurand
-
bgp
-
security
-
00


48

Further reading

BGP Man
-
in
-
the
-
Middle

http://www.defcon.org/images/defcon
-
16/dc16
-
presentations/defcon
-
16
-
pilosov
-
kapela.pdf

China's 18
-
Minute Mystery

http://www.renesys.com/blog/2010/11/chinas
-
18
-
minute
-
mystery.shtml

How the Internet in Australia went down under

http://www.bgpmon.net/how
-
the
-
internet
-
in
-
australia
-
went
-
down
-
under/

How Secure are Secure
Interdomain

Routing Protocols?

http://research.microsoft.com/pubs/120428/bgpattack
-
full.pdf