BGP Route Hijacking - What Can Be Done Today? BGP Hijacking... · BGP Egress Policy Checklist...
Transcript of BGP Route Hijacking - What Can Be Done Today? BGP Hijacking... · BGP Egress Policy Checklist...
BGP Route Hijacking -What Can Be Done Today?Version 1.2
Barry Raveendran GreenePrinciple Architect – Carrier, Enterprise & [email protected]
@Akamai
BGP - the Core Protocol that Glues all of the Internet & Telecom depends on trusting your neighbors.
Neighbors make mistakes. Some Neighbors abuse. Some violate the Neighbors and violate everyone!
Minimizing the RiskWhat are people doing to mitigate
the Risk of BGP Hijacks
Explore the BGP Hijack RiskIf this a common risk or unique? +
How big is the risk?
BGP Hijacking
AKAMAI EXPECTS “BGP/INTERNET EVENTS”, MONITORS IN REAL TIME , & ADAPTS AROUND THE “EVENT.”
BGP Leaks & Hijacks are a daily activity!
Akamai sees 5 - 20 “Possible interesting situations” a day on our infrastructure. Most are network changes we adapt our infrastructure. Some are route leaks. Infrequently we see suspected malicious BGP hijack.
AS 200
AS 400
D
C
E
MAS 100
AS 300
Customer
AS 500
N
X
A
Broken into router advertises Web Server
prefix as a /32
W
BQ
X.Y.Z.0/22X.Y.Z.1/24
All Web traffic forwards to the /32 more specific.
What is a prefix hijack?
What Could Be Worse?
Global Telecoms
• The Miscreant Economy Trades violated “BGP Speaking” routers. Get 20 in different parts of the Internet.
• Take each, pick your targets, and start disaggregating.
• THE INTERNET & TELECOM HAVE MERGED!
• BGP Hijacks are LIFE THREATENING!
What is a prefix hijack?
Global Telecoms
More prefixes, more communities, more as-paths,
more activities (flapping, changes, etc.)
More memory, more FIB capacity, more
RP processing
• Today’s network is all of Telecom + Internet. It is all one technological base … all interconnected with BGP & DNS
• Our Neighbors are global! A business on one side of the planet will force you into OPEX and CAPEX expenditure!
Google Route Leak – 2017-08-25
Large BGP Leaky by Google Disrupts Internet in Japanhttps://dyn.com/blog/large-bgp-leak-by-google-disrupts-internet-in-japan/
BGP leak causing Internet outages in Japan and beyondhttps://bgpmon.net/bgp-leak-causing-internet-outages-in-japan-and-beyond/
Amazon Route 53 – MyEtherWallet – 2018-04-24
Maybe?
BGP Hijack of Amazon DNS to Steal Crypto Currencyhttps://dyn.com/blog/bgp-hijack-of-amazon-dns-to-steal-crypto-currency/AWS DNS network hijack turns MyEtherWallet into Thieves EtherWallethttps://www.theregister.co.uk/2018/04/24/myetherwallet_dns_hijack/
• The AS 10297 upstreams (NTT, Cogent, Level3) & Equinix route server blocked the hijack attack
• Some peers of AS 10297 (Google, Hurricane Electric, BBOI, others) accepted the hijack
• Hijack impact was limited thanks to BGP Filters
DPSTL Brazil (AS 26786) – 2018-04-26
BGP hijacks - Malicious or Mistakes?https://radar.qrator.net/blog/bgp-hijacks-malicious-or-mistakes
ElCAT (AS 8449)– Kyrgyzstan – 2018-05-04
The Day the Internet Survivedhttps://radar.qrator.net/blog/the-day-the-internet-survived
Mistakes with Route Leaks will have National Consequences.
Intentional Hijacks are Worse.
BGP Hijacking - Wide Motivations
● Hijacking for Cryptocurrency Theft (since 2013)
● Hijacking for SPAM● Hijacking for Censorship● Hijacking for Nation State Attacks● Hijacking “just for the fun of it.”
BGP Security
Example from Blackhat - Entire Conference was Hijacked with a MITM to illustrate the risk and the “security professionals” had zero clue what was going on!!!
How can I reduce the risk?
BGP Hijack Minimization
DNS SecurityHigh Resilience aDNS
DNSSEC
Driving for rDNS deployments that support DNSSEC
Minimizing the BGP Hijack Risk
BGP BCPsPeering Circles of BGP BCPs
Internal and External Monitor Tools
BGP EXPERTISE
Partner with Peers who align with your BGP Resilience Agenda
Invest in Rapid Response to BGP Hijacking
Web & Application SecurityComplete the move to HTTPS (TLS).Deployment Resilience Horizontally & Vertically
MANRS+ Global Campaign to Expand the PeerLock++ Circles
PeerLock++ Agreements with all Direct Peers - One ASN Deep
BGP Peering BCPs Do all the ingress/egress policies
New Thinking with Today’s BGP SecurityLAYERED BGP SECURITY
BGPSecurity
RPKI Origin Validation" for BGP updates
Targeted Hijacks Builds Circles of Trust Pushing to Customers
Nation State The Approach Minimizes Global Risk
Leak Instabilities Minimizes normal human error
Principle of Guarded Trust
• SP A trust SP B to send X prefixes from the Global Internet Route Table. • SP B Creates a egress filter to insure only X prefixes are sent to SP A. • SP A creates a mirror image ingress filter to insure SP B only sends X
prefixes.• SP A’s ingress filter reinforces SP B’s egress filter.
ISP A ISP B
Prefixes
Prefixes
Ingress FilterEgress Filter
Explicit Deny BGP Ingress/Egress
• All BGP Sessions Need Explicitly DENY ALL Filters as a Default.
• Explicit Deny filtering logic blocks everything and only permits specifics through the filter.
ISP A ISP B
Prefixes
Prefixes
Ingress Filter (Deny with Exceptions)Egress Filter (Deny with Exceptions
BGP Ingress Policy Checklist1. Dynamic maximum prefix settings2. Reject Bogon & RIR RIR Min prefixes
(RFC1918, etc)3. Reject Bogon ASNs (AS0 / AS23456 etc)4. Reject IXP prefixes (Some IXP subnets)5. Reject leakage with the Peerlock filter6. Match against IRR whitelist (only customers)7. Mark as customer route (or as peer route)8. Scrub internally significant BGP communities9. Apply Features – (blackholing, traffic
engineering, etc, only for customers)
Peer/Transit
Operator
Customer -Down Stream
Prefix Filter
BGP
Pref
ixes
Prefix Filter
BGP
Prefixes
BGP Egress Policy Checklist1. Reject Bogon & RIR Min prefixes2. remove-private-AS3. Reject “bad” routes (RTBH, Sinkholes, Shunts)4. Accept peer routes(on customer session)5. Accept customer routes (on every session)6. Do prepending (if requested & applicable)7. Scrub internal BGP communities8. Set next-hop-self9. Normalize BGP MED
Prefix Filter BGP
Pref
ixes
Prefix Filter
BGP
Prefixes
Peer/Transit
Operator
Customer -Down Stream
The Control Plane Protection Essentials
• Mutually Agreed Norms for Routing Security (MANRS)
https://www.routingmanifesto.org/manrs/• There are core control plane protection essentials which
are the foundation for Internet security and stability. The Operators Security Toolkit provides clue for effective BGP Security: http://www.senki.org/operators-security-toolkit/
Reality Check: The major of ISPs, Telcos, Mobile Operators, and other
Operators are not doing the essentials of BGP Security. That is why it is
so each to execute BGP Hijacks!
MANRS Actions
ADD MANRS Compliance to your Operator’s Internet Services Contract!
Take the MANRS Tutorial
• The Internet Society & the Operator’s Best Common Operational Practice (BCOP) Community as create an online MANRS Tutorial.
https://www.internetsociety.org/tutorials/manrs/
Any organization who BGP Peers must set up appropriate BGP Monitoring
BGP Monitoring
BGP Peer LockPeer Lock is a Peering Technique used to lock down “known” peering relationships from all of your peers.
We know PCCW is not an upstream for AT&T. WeKnow AT&T is not an upstream for PCCW.
We know that:AS_PATH 2914_3491_7018 would be garbage! (NTT_PCCW_AT&T)
Working with your Peers, you can build AS Path Filters which Whitelist KNOWN GOOD BEHAVIOR
BGP Peer Lock – Simple Default Free Rule
WIKIPEDIA Defines the largest DEFAULT FREE Backbones: https://en.wikipedia.org/wiki/Tier_1_network#L
Use that to deploy a filter that would block anyone claiming to be ”transit” for the big backbones.
ip as-path access-list 99 permit \_(174|209|286|701|1239|1299 \|2828|2914|3257|3320|3356 \|3549|5511|6453|6461|6762 \ |7018|12956)_
route-map ebgp-customer-in deny 1 match as-path 99
Peer A
Peer B
Peer C
NTT2419
Peer D
Peer E
Peer Lock Path Logic for Peer A
OK: ^A_OK: ^B_A_NOT OK: ^C_A_NOT OK: ^D_A_
BGP Peer Lock’s Expanding Trust
Normal Peering
Backup Path
Route Leak
Hijack
Hijack
Peer A
Peer B
Peer C
NTT2419
Peer D
Peer E
BGP Peer Lock’s Expanding Trust Deeper
Normal Peering
Route Leak
Hijack
Hijack
Peer Z Peer M
Peer B Expands Peer Lock with Z and M.
The “Peer Lock” Realm has now expanded to Five Operators.
BGP RPKI Origin ValidationBGPSEC & RPKI will register all IPv4 and IPv6 routes in a RPKI Repository.
Operators can then set up their network to validate the routes they receive to ensure the customer, peer, or transit is authorized to send the route.
BGPSEC Operational Roll Out (2019-2020)
The first RPKI BGP Route Origin Validation deployments have started!
BGPSEC is not a theory now. We’re gaining Operational Experience where real customers would be impacted if it does not work.
Trust Anchors ROAs Ignore
Filters Whitelist Router
You Can Take Action!BGP Hijack Resistance is not hard!
• Know the Risk!
• Walk through how your organization will be impacted.
• Start Action
• Meet with your Internet/Telecom providers and create a plan of action.
MANRS+ Global Campaign to Expand the Peer Lock++ Circles
Peer Lock++ Agreements with all Direct Peers - One ASN Deep
BGP Peering BCPs Do all the ingress/egress policies
BGP Security Action ChecklistLAYERED BGP SECURITY
BGPSecurity
RPKI Origin Validation for BGP updates
2. Upgrade your Peering AgreementBuilds Circles of Trust – asking your peers and your Operators what they are doing.
1. Deploy Essentials BGP BCP w/ MANRSGet the basics done first.
3. Start the RPKI ProcessRegister your routes. Ask your Peers and Operator to Register
Questions?
Next Steps – Use the BGP Resiliency Guides”How to secure BGP” is publicly available all over the Internet.
Two Sources to start:
• MANRS – https://www.routingmanifesto.org
• SENKI - BGP Route Hijack – What can be done Today
http://www.senki.org/operators-security-toolkit/bgp-route-hijack/