NETWORKING

  • 02/26/2015
    8:00 AM
  • Rating: 
    0 votes
    +
    Vote up!
    -
    Vote down!

BGP Security: No Quick Fix

The routing protocol is plagued by multiple security vulnerabilities, which attackers are exploiting. However, securing BGP is no small feat.

Border Gateway Protocol (BGP), which is the routing protocol different networks use to find communication paths to each other, was not designed with security in mind. It has security vulnerabilities that nefarious individuals and governments can and do exploit, causing varying degrees of damage.

The BGP performance failures you often hear about are fairly simple issues to address. For instance, a BGP routing table overflow last year got widespread attention because it impacted users of companies and services such as eBay, Facebook, LinkedIn, and Comcast. However, BGP security failures are not so easy to tackle, with malicious attacks increasing and causing issues across the world.

Let's look at how attackers are exploiting BGP vulnerabilities, industry efforts to address the flaws, and why those efforts have fallen short, as well as other technologies that can help improve BGP security.

BGP attacks

One type of BGP attack is route hijacking, caused by someone using BGP to announce illegitimate routes. This easily disrupts the Internet by causing cyberattacks, shutting down services, or creating reliability issues. One use of hijacking is to block social media sites. In early 2014, for example, Turkish service providers hijacked Google’s DNS servers to prevent citizens from accessing social media sites. 

In another high-profile attack, Pakistani service providers -- complying with government wishes to block YouTube -- injected a BGP route for YouTube that directed its traffic to nowhere. When this route inexplicably leaked outside of Pakistan, service providers across the Internet carried it and caused YouTube’s removal from the Internet. 

Recently, a new kind of BGP route hijack attack has come to the fore: a man-in-the-middle attack. In this type of attack, traffic is diverted, giving criminals access to it before it goes to its final destination. Just this year, researchers at Dell SecureWorks uncovered multiple man-in-the-middle BGP attacks used to steal bitcoins. The thief earned about $83,000 in profits in more than four months, compromising 51 networks from 19 different ISPs.

According to The Washington Post, Internet monitoring company Renesys says man-in-the-middle attacks began surfacing in 2013. In February 2013, traffic from major financial institutions, governments, and network service providers  was diverted from its usual paths and went through Belarus before it was sent back through to the normal destinations.

In another case, all traffic between Europe and North America was rerouted through a service provider in Iceland. The culprits probably carefully crafted this so that the additional delays created little to no performance degradation. The victims of man-in-the-middle attacks may never realize that their traffic was diverted.

More worrisome still is that malicious attacks are becoming more widespread. A 2014 study by Andrei Robachevsky of the Internet Society found that at least 10% of routing incidents are real threats. There are a few malicious attacks every month. 

Securing BGP

What can be done to thwart these attacks? The Internet Engineering Task Force (IETF) has undertaken two efforts to fix BGP security issues over the years, RPSL and SIDR, but both have problems that have impeded their success.

RPSL

In 1995, the IETF formed the Routing Policy System Working Group, which in turn standardized a language called Routing Policy Specification Language (RPSL), and a security model (RP-SEC).

RPLS works by having network operators -- both service providers and enterprises -- register their authorized routes (by chain of trust starting from the Internet Assigned Numbers Authority) along with the neighbor autonomous systems that receive these routes. The security credentials (authentication and authorization) are checked at the time of registration. The working group participants then wrote a tool that read these validated policy specifications and generated router configurations that would be immune to these kinds of attacks.

Unfortunately, RPSL adoption has been low for two reasons. One, policy registrations had to reach a critical mass to get the full benefit of the system; early adopters do not benefit much.

Two, operators need to configure their routers from these policy specifications to filter routes from their customers and maybe even from their peers. This poses an operational hardship, because routing policies change constantly due to the high number of policy objects needed to represent all BGP routes and autonomous systems. Also, these changes are made during maintenance windows, which typically are scheduled a few times a week. This leaves windows when new policies are not enacted, which can result in poor routing performance. As a result, few service providers in the U.S. adopted the system; adoption was more widespread in Europe.

SIDR

Another effort, developed by the IETF’s Secure Inter-Domain Routing Working Group (SIDR), can check the security credentials in-band as BGP routes are exchanged (BGPSEC). Regrettably, this technology does not adequately solve the problem for three reasons:

  1.  It requires heavy cryptographic computational power that today’s routers do not have;
  2. It does not protect against man-in-the-middle BGP route hijack attacks, but only the earlier attacks; and
  3. It does not address the reason why RPSL adoption has been low.

The good news is that networks that use SIDR are better protected: none of their customers can hijack routes. Therefore, a service provider can ensure that at least its customers can always reach each other. With the increase in malicious attacks, now may be the time for more service providers to deploy either RPSL- or SIDR-based systems.

NEXT:  Looking to SDN & route analytics for help


Comments

BGP security

The growth in BGP attacks certainly illustrates the urgency of addressing BGP vulnerabilities. SDN is increasingly talked about in the context of security, so its potential to help improve BGP security makes a lot of sense.

Re: BGP security

Marcia,

For sure SDN has enormous potential to Solve BGP Security issues .However,I was wondering about the potential costs involved in the Whole Patching Procedure and whether the IETF is adequately funded when it comes to solving this issue.

Given the Multiple Priorities that the IETF has today I was left wondering whether or not this Needed Procedure will find adequate funds in place.

I hope my doubts are misfounded..

 

Re: BGP security

Any outsider can inject believable BGP messages into the communication between BGP peers and thereby inject bogus routing information or break the peer to peer connection, and even if SDN takes over the network BGP peering mechanism might not change, neither its functionality. I am still curious to find how actually SDn would help in here.

Re: BGP security

Aditshar,

Its good to see that Other people also share my doubts regarding this most fascinating and interesting topic going ahead.

I am surprised that more folks have'nt raised/looked at this issue closely previously.

 

Re: BGP security

@aditshar, Your concern is valid enough, we do have number mechanism to prevent these type of attacks and one them is BGP flow wherein  Listen detects erroneous routes by operating in the data plane of BGP, but relying upon Listen alone is not enough and can defeat any data plane solution by impersonating legitimate end-hosts. To mitigate this issue, Whisper operates in the control plane of the BGP system to find false route advertisements.

BGP Security

Agree with this: Ultimately, we need a permanent solution to secure BGP. Whether it is RPSL or SIDR, we must act with urgency to secure BGP and protect networks from malicious attacks." The problems relating to BGP security are laid out well here. So well, in fact, that it has made me think more about the problem. I knew this was happening, of course, but I did not really let it get into my head that much. Anyway, all of the possible solutions mentioned here have both pros and cons,but there's not one that can be considered a totally complete one. SDN is the strongest, most probably option, but I've read the comments and have to agree with some of them. Is it possible to come up with something that combines a little SDN, some SIDR and route analytics, and so on? Not really sure if that's possible, but maybe doing something like that could help thwart the enemy. 

Re: BGP Security: No Quick Fix

Thanks for breaking this down, Cengiz. I've been hearing a lot about man-in-the-middle attacks as one of the "silent killers" of network security for some time now, and it sounds like there's actually quite an iceberg beneath that tip. What's worse, it sounds like infosec pros don't have many options when it comes to securing their own network besides being vigilant - they just have to wait for the standards to come together. Fortunately, we all have some voice in making that happen, but that's not much comfort to the victims in the meantime. It's curious that the secure version(s) of BGP didn't catch on because of the added inconvenience - we don't hear that about, say, https. Do you think it would have been more popular if there had been more awareness of man-in-the-middle and more high-profile BGP incidents at the time of it's inception?

It is funny how much those of us even in the industry take the pipes we use every day for granted. Some of the oldest protocols and technologies are still in use, and they weren't designed with modern security and interoperability in mind - not to mention, they weren't designed for an internet this big! Think IPv4 vs IPv6. Many of these problems that need fixing are outside the expertise of even the most seasoned professionals (some of what you're describing here is certainly over my head). One of the attached articles said that the people who caused the Pakistan incident didn't even know that the 'attack' could cause a problem outisde of Pakistan! It's most alarming to think that that could be the case. We definitely need to train the next generation of networking pros to understand the old technology of the internet backbone, and be ready to come up with solutions. 

Re: BGP Security: No Quick Fix

Good point zerox203 about older protocols and technologies not being designed with security in mind. They're so embedded in our infrastructure that it's a hard problem to fix. Moreover, no one back then could have imagined the level of sophistication of today's cyberattacks.

Thanks everybody for your comments

We need to find an evolutionary solution to the security issues surrounding BGP. BGP has served us very well, from its extreme scaling properties to enabling many network services (e.g. Layer 2 and 3 VPNs). BGP is what makes the Internet an internet! As Sherly below put it nicely, we need to put something together "that combines a little SDN, some SIDR and route analytics"... As Aditshar1 says, SDN alone is not enough, but SDN can ease the pain points of operating these techniques, such as installing a set of validated route origin attestations. Ashu001 is right, the challenge is to find funding. It is hard to justify the cost of the work. Security incidents have a big cost, but it is always looked as someone else's cost (until of course it is yours). So it will be challenging to find funding for this. When I worked on RPSL, it was funded by the National Sciences Foundation. I think we may still need government sponsorship for this. Perhaps ISOC can help also.