BGP is the core routing protocol of the Internet and yet it appears that BGP's trusting nature allows attackers to intercept Internet traffic. The problem has been known for a long time so why hasn't it been fixed? Michael Kassner answers that and points out a new twist.
At this year's DefCon, security researchers Anton Kapela (data center and network director at 5Nines Data) and Alex Pilosov (CEO of Pilosoft) explained Border Gateway Protocol (BGP) eavesdropping, which is the new and improved method of BGP redirection. BGP eavesdropping is shaping up to be as much of a concern as Dan Kaminsky's bug that I wrote about in "DNS: The Internet Dodged a Bullet, Thankfully."
How BGP works
BGP is a "behind-the-scene" protocol in the realm of ISP routers. We all know the Internet is one huge interconnected network, and BGP routing is the method whereby interconnected routers know how and where to send Internet traffic. Routers that are a single hop from each other are called BGP neighbors. BGP neighbors exchange routing information as soon as there's an active network connection between the routers. If any changes occur to its BGP routing table, the router automatically sends the changes to all its neighbors. The BGP neighbor concept is a big part of why the Internet is a very resilient mesh network.
Since the Internet is a mesh network, there will always be multiple entries for each route. So how does the router know which neighbor to pick? First, each BGP entry has several attributes that measure different properties of the route. Then an algorithm selects the best route from these attributes. Some attributes are weight, local preference, origin, and AS_path (remember this one). Not quite done yet, BGP checks one more parameter and it's an important one, especially since this parameter is the fundamental design flaw that allows BGP eavesdropping.
In order to find the best route, BGP considers the granularity of each advertised network. For example, say that a router is looking for IP address 10.10.10.25. Looking into its BGP routing table, the router finds a route entry advertising the 1o.xxx.xxx.xxx network. The router also finds another entry advertising the 1o.10.xxx.xxx network. Since the 10.10.xxx.xxx network is a better match, the router will choose that entry, sending the packets to the router advertising the 10.10.xxx.xxx network. Each router along the path repeats this process until the Internet traffic reaches its destination.
Needless to say, BGP can be complicated. It might be best to step through the process by using an example; let's say I want to go to www.techrepublic.com:
- I type www.techrepublic.com in the Web browser's address bar and click OK.
- Through the magic of DNS, my Web browser now knows the IP address of www.techrepublic.com and sends a Web page query to my ISP's gateway router.
- The gateway router then checks its BGP routing table for the best route.
- Through the BGP selection process, the gateway router selects the best route and forwards the query onto that router. This discovery process occurs at each router along the path until the query reaches www.techrepublic.com.
BGP design flaw
Now that we have a good idea of how BGP works, I'd like to check out the design flaw that allows BGP redirection and eavesdropping. Basically, BGP trusts routing information from BGP neighbors entirely too much. The router just assumes that the BGP routing entry is correct and sends the packets on their way.
An attacker makes use of this unbridled trust in order to carry out a BGP redirection attack. All the eavesdropper needs to do is advertise network addresses that are more granular (closer to the real IP address, use 10.10.25.xxx for example) than the ones offered by official BGP neighbors. After the false BGP entries have propagated, it wouldn't take very long before redirected traffic begins flowing to the attacker's network.
Redirecting BGP traffic isn't new, in fact many of you may remember the YouTube outage that occurred this past February. That outage was the result of an accidental BGP redirection by an ISP in Pakistan. If you need a refresher (I did), InfoWorld's article "YouTube Outage Underscores Big Internet Problem" is where to go. In addition, exact details and interactive display are available at the RIPE (Reseaux IP Europeens) NCC Web site.Autonomous System routers
If you went to the RIPE Web site, you may have noticed router designators like AS17557. Autonomous System Numbers (ASN) are assigned to each Autonomous System (AS) to uniquely identify it. To avoid getting in over my head, let's just say that an AS is a collection of IP routing information controlled by a single entity. With that entity being responsible for propagating BGP routes to all the routers it services.
It's very obvious when BGP redirection is taking place, and that's not what the malevolent types want. To explain using the YouTube example, once the BGP routing changes made by the Pakistani ISP propagated, YouTube's Web site became inaccessible and raised all sorts of flags.
Kapela and Pilosov have found a way to make Internet users none the wiser to a redirection attack. They innovatively added a second redirection, which changes the process to a Man-in-the-Middle (MitM) attack vector called BGP eavesdropping. Experts knew this was theoretically possible, but apparently, it's never been demonstrated until DefCon 2008.
Kapela and Pilosov really impressed me by how they were able to add the second redirection, as it's not an intuitive process. To prove that, I'd like to recap exactly what's happening. First, the attack router is deceitfully advertising itself as the best route to the original destination network. Because of how BGP works, we know that the wrong routing information has propagated to all the attack router's BGP neighbors. With all attack router's BGP neighbors now pointing at the attack router as the best route, any traffic the attack router tries to forward to the original destination network (through the BGP neighbors) would be sent back by the BGP neighbors. Now, that's a problem, but here comes the cool part.
AS path prepending
Pilosov and Kapela bypass this problem by using AS-path prepending. Path prepending uses the AS_path attribute I mentioned earlier. In a roundabout way, adjusting the AS_path attribute value forces selected AS routers to reject the attack router's deceptive BGP entry. The attacker then forwards the Internet traffic to that specific BGP neighbor. From that point on, the Internet traffic uses the normal BGP routing process until it reaches the original destination.What does this mean?
There's precious little evidence that BGP eavesdropping is going on. Route tracing is one way of determining if something is not quite right, but it's difficult to pinpoint the anomaly. To be safe, we need to consider this a MitM attack and use the same mitigating techniques, which for now would amount to VPNs.
Several interim solutions are being proposed to rectify the design flaw. Allowing only authorized BGP neighbors is one solution, but it's labor intensive, and if one ISP declines to use it, the whole system breaks. Another solution would be to use signed certificates, which would authenticate BGP neighbors to each other, but that applies only for the first hop.
One solution that will solve the design flaw is Secure BGP (S-BGP). The following quote is from their Web site and explains how S-BGP works:
"The S-BGP architecture employs three security mechanisms:
First, a Public Key Infrastructure (PKI) is used to support the authentication of ownership of IP address blocks, ownership of Autonomous System (AS) numbers, an AS's identity, and a BGP router's identity and its authorization to represent an AS.
Second, a new, optional, BGP transitive path attribute is employed to carry digital signatures covering the routing information in a BGP UPDATE. These signatures along with certificates from the S-BGP PKI enable the receiver of a BGP routing UPDATE to verify the address prefixes and path information that it contains.
Third, IPsec is used to provide data and partial sequence integrity, and to enable BGP routers to authenticate each other for exchanges of BGP control traffic."
S-BGP sounds great, but most existing routers don't have enough memory or processing power to handle the additional workload. For more detail on S-BGP and alternative solutions, Wired has a good article, "Revealed: The Internet's Biggest Security Hole."Final thoughts
It becomes very apparent that the original Internet developers lived in a time when workability and trust, not security, were the order of the day. Both Kaminsky's bug and BGP eavesdropping are perfect examples of that. I'm not sure what that all means, but I will remain optimistic.
That aside, BGP eavesdropping is going to be hard to fix, simply because of cost and overhead. I'm pretty certain that ISPs aren't going to jump on the bandwagon, unless pushed by us users.