7 STEPS TO SHORE UP BGP

2

BORDER GATEWAY PROTOCOL

3

Chapter 1

BGP has serious security vulnerabilities

• No authentication or protection of integrity of messages

• No verification of the authority to announce routes

• This allows internet traffic hijacking

BGP hijacks continue to happen

• January 2019 hijack of prefixes of the US energy regulator, by China telecom

• November 2018 hijack of US domestic internet traffic, via Russia, into China

• April 2018 hijack of Amazon EC2 traffic to steal Ethereum bitcoins

• December 2017 hijack of internet traffic to US webites, into Russia

BGP SECURITY

4

Survey across the EU telecom sector

64 responses from experts working at providers

ENISA BGP SECURITY SURVEY

45%

30%

25%

In your experience, what is the impact of BGP incidents?

major impact

medium impact

small impact

5

BASIC, EFFICIENT, EFFECTIVE MEASURES

1. BGP Monitoring and routing anomaly detection

2. BGP coordination:

• Describe and publish your policy using RPSL

• Partake in registers like PeeringDB

3. Prefix filtering

4. BGP AS Path filtering

5. Bogon filtering

6. TTL Security (GTSM)

7. RPKI

RECOMMENDATIONS: 7 STEPS

6

BGP CHECKLIST FOR NRAS

CHECKLIST

General Information

Provider name Hint: company name

Contact point Hint: contact name, email for further questions on this

AS Hint: Yes, please specify the AS number, or N/A if no AS, in that case skip the rest of this form

BGP Security measure Implementation status Explanation

1. BGP Monitoring & Routing Anomaly Detection

Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.

2. BGP Coordination Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.

3. Prefix Filtering Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.

4. BGP AS Path Filtering Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.

5. Bogon Filtering Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.

6. TTL Security (GTSM) Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.

7. RPKI Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.

7

Annual telecom security incidents report 2018

• https://www.enisa.europa.eu/topics/incident-reporting/for-telcos/visual-tool

• Already contains data over 2018

SS7 cheatsheet

Preparing for the EECC

• New providers, new landscape, new threats, new industry practices

• How does security supervision work?

Power outages and telecoms

ENISA mailing lists for the sector (providers and infra)

ENISA TELECOM SECURITY WORK IN 2019

CONTACT US

marnix.dekker@enisa.europa.eu

+30 28 14 40 9711

info@enisa.europa.eu

www.enisa.europe.eu