BGP Route Hijacking - What Can Be Done Today?

Size: px

Start display at page:

Download "BGP Route Hijacking - What Can Be Done Today?"

Luke Potter
5 years ago
Views:

1 BGP Route Hijacking - What Can Be Done Today? Version 1.2 Barry Raveendran Greene Principle Architect Carrier, Enterprise & Security

2 BGP - the Core Protocol that Glues all of the Internet & Telecom depends on trusting your neighbors. Neighbors make mistakes. Some Neighbors abuse. Some violate the Neighbors and violate everyone!

3 Explore the BGP Hijack Risk If this a common risk or unique? + Minimizing the Risk What are people doing to mitigate the Risk of BGP Hijacks

4 How big is the risk? BGP Hijacking

5 BGP Leaks & Hijacks are a daily activity! Akamai sees 5-20 Possible interesting situations a day on our infrastructure. Most are network changes we adapt our infrastructure. Some are route leaks. Infrequently we see suspected malicious BGP hijack. AKAMAI EXPECTS BGP/INTERNET EVENTS, MONITORS IN REAL TIME, & ADAPTS AROUND THE EVENT.

6 What is a prefix hijack? AS 500 All Web traffic forwards to the /32 more specific. X W D AS 300 C E AS 400 Broken into router advertises Web Server prefix as a /32 N Customer A B AS 100 M AS 200 Q X.Y.Z.0/22 X.Y.Z.1/24

7 What Could Be Worse? The Miscreant Economy Trades violated BGP Speaking routers. Get 20 in different parts of the Internet. Take each, pick your targets, and start disaggregating. Global Telecoms THE INTERNET & TELECOM HAVE MERGED! BGP Hijacks are LIFE THREATENING!

8 What is a prefix hijack? Today s network is all of Telecom + Internet. It is all one technological base all interconnected with BGP & DNS Our Neighbors are global! A business on one side of the planet will force you into OPEX and CAPEX expenditure! Global Telecoms More memory, more FIB capacity, more RP processing More prefixes, more communities, more as-paths, more activities (flapping, changes, etc.)

Google Route Leak 2017-08-25 Large BGP Leaky by Google Disrupts Internet in Japan https://dyn.

9 Google Route Leak Large BGP Leaky by Google Disrupts Internet in Japan BGP leak causing Internet outages in Japan and beyond

Amazon Route 53 MyEtherWallet 2018-04-24 BGP Hijack of Amazon DNS to Steal Crypto Currency https://dyn.

https://www.theregister.co.uk/2018/04/24/myetherwallet_ dns_hijack/ Maybe?

10 Amazon Route 53 MyEtherWallet BGP Hijack of Amazon DNS to Steal Crypto Currency AWS DNS network hijack turns MyEtherWallet into Thieves EtherWallet dns_hijack/ Maybe? The AS upstreams (NTT, Cogent, Level3) & Equinix route server blocked the hijack attack Some peers of AS (Google, Hurricane Electric, BBOI, others) accepted the hijack Hijack impact was limited thanks to BGP Filters

DPSTL Brazil (AS 26786) 2018-04-26 BGP hijacks - Malicious or

11 DPSTL Brazil (AS 26786) BGP hijacks - Malicious or Mistakes?

ElCAT (AS 8449) Kyrgyzstan 2018-05-04 The Day the Internet Survived https://radar.qrator.

12 ElCAT (AS 8449) Kyrgyzstan The Day the Internet Survived Mistakes with Route Leaks will have National Consequences. Intentional Hijacks are Worse.

BGP Security BGP Hijacking - Wide Motivations Hijacking for Cryptocurrency Theft (since 2013) Hijacking for SPAM Hijacking for Censorship Hijacking for Nation State Attacks

13 BGP Security BGP Hijacking - Wide Motivations Hijacking for Cryptocurrency Theft (since 2013) Hijacking for SPAM Hijacking for Censorship Hijacking for Nation State Attacks Hijacking just for the fun of it. Example from Blackhat - Entire Conference was Hijacked with a MITM to illustrate the risk and the security professionals had zero clue what was going on!!!

14 How can I reduce the risk? BGP Hijack Minimization

15 Minimizing the BGP Hijack Risk Web & Application Security Complete the move to HTTPS (TLS). Deployment Resilience Horizontally & Vertically DNS Security High Resilience adns DNSSEC Driving for rdns deployments that support DNSSEC BGP BCPs Peering Circles of BGP BCPs Internal and External Monitor Tools BGP EXPERTISE Partner with Peers who align with your BGP Resilience Agenda Invest in Rapid Response to BGP Hijacking

LAYERED BGP SECURITY New Thinking with Today s BGP Security RPKI Origin

- One ASN Deep MANRS+ Global Campaign to Expand the PeerLock++ Circles

State The Approach Minimizes Global Risk Targeted Hijacks Builds Circles

16 LAYERED BGP SECURITY New Thinking with Today s BGP Security RPKI Origin Validation" for BGP updates PeerLock++ Agreements with all Direct Peers - One ASN Deep MANRS+ Global Campaign to Expand the PeerLock++ Circles BGP Security BGP Peering BCPs Do all the ingress/egress policies Nation State The Approach Minimizes Global Risk Targeted Hijacks Builds Circles of Trust Pushing to Customers Leak Instabilities Minimizes normal human error

17 Principle of Guarded Trust Egress Filter Ingress Filter ISP A Prefixe s ISP B Prefixe s SP A trust SP B to send X prefixes from the Global Internet Route Table. SP B Creates a egress filter to insure only X prefixes are sent to SP A. SP A creates a mirror image ingress filter to insure SP B only sends X prefixes. SP A s ingress filter reinforces SP B s egress filter.

18 Explicit Deny BGP Ingress/Egress Egress Filter (Deny with Exceptions Ingress Filter (Deny with Exceptions) ISP A Prefixe s ISP B Prefixe s All BGP Sessions Need Explicitly DENY ALL Filters as a Default. Explicit Deny filtering logic blocks everything and only permits specifics through the filter.

BGP Ingress Policy Checklist 1. Dynamic maximum prefix settings 2. Reject Bogon & RIR RIR Min prefixes (RFC1918, etc) 3. Reject Bogon ASNs (AS0 / AS23456 etc) 4.

19 BGP Ingress Policy Checklist 1. Dynamic maximum prefix settings 2. Reject Bogon & RIR RIR Min prefixes (RFC1918, etc) 3. Reject Bogon ASNs (AS0 / AS23456 etc) 4. Reject IXP prefixes (Some IXP subnets) 5. Reject leakage with the Peerlock filter 6. Match against IRR whitelist (only customers) 7. Mark as customer route (or as peer route) 8. Scrub internally significant BGP communities 9. Apply Features (blackholing, traffic engineering, etc, only for customers) BGP Prefixes Prefix Filter Prefix Filter BGP Prefixes Peer/Transit Operator Customer - Down Stream

BGP Egress Policy Checklist 1. Reject Bogon & RIR Min prefixes 2. remove-private-as 3. Reject bad routes (RTBH, Sinkholes, Shunts) Peer/Transit 4. Accept peer routes(on customer session) 5.

20 BGP Egress Policy Checklist 1. Reject Bogon & RIR Min prefixes 2. remove-private-as 3. Reject bad routes (RTBH, Sinkholes, Shunts) Peer/Transit 4. Accept peer routes(on customer session) 5. Accept customer routes (on every session) 6. Do prepending (if requested & applicable) 7. Scrub internal BGP communities 8. Set next-hop-self BGP Prefixes Prefix Filter Prefix Filter BGP Prefixes Operator 9. Normalize BGP MED Customer - Down Stream

21 The Control Plane Protection Essentials Mutually Agreed Norms for Routing Security (MANRS) There are core control plane protection essentials which are the foundation for Internet security and stability. The Operators Security Toolkit provides clue for effective BGP Security: Reality Check: The major of ISPs, Telcos, Mobile Operators, and other Operators are not doing the essentials of BGP Security. That is why it is so each to execute BGP Hijacks!

22 MANRS Actions ADD MANRS Compliance to your Operator s Internet Services Contract!

23 Take the MANRS Tutorial The Internet Society & the Operator s Best Common Operational Practice (BCOP) Community as create an online MANRS Tutorial.

24 BGP Monitoring Any organization who BGP Peers must set up appropriate BGP Monitoring

BGP Peer Lock Peer Lock is a Peering Technique used to lock down known peering relationships from all of your peers. We know PCCW is not an upstream for AT&T.

25 BGP Peer Lock Peer Lock is a Peering Technique used to lock down known peering relationships from all of your peers. We know PCCW is not an upstream for AT&T. We Know AT&T is not an upstream for PCCW. We know that: AS_PATH 2914_3491_7018 would be garbage! (NTT_PCCW_AT&T) Working with your Peers, you can build AS Path Filters which Whitelist KNOWN GOOD BEHAVIOR

BGP Peer Lock Simple Default Free Rule WIKIPEDIA Defines the largest DEFAULT FREE Backbones: https://en.wikipedia.

26 BGP Peer Lock Simple Default Free Rule WIKIPEDIA Defines the largest DEFAULT FREE Backbones: Use that to deploy a filter that would block anyone claiming to be transit for the big backbones. ip as-path access-list 99 permit \ _( \ \ \ )_ route-map ebgp-customer-in deny 1 match aspath 99

27 BGP Peer Lock s Expanding Trust Backup Path Hijack Peer B Peer D Peer Lock Path Logic for Peer A Peer A Normal Peering NTT 2419 OK: ^A_ OK: ^B_A_ NOT OK: ^C_A_ NOT OK: ^D_A_ Peer C Peer E Route Leak Hijack

28 BGP Peer Lock s Expanding Trust Deeper Peer Z Peer M Hijack Peer B Peer D Peer B Expands Peer Lock with Z and M. Peer A Normal Peering NTT 2419 The Peer Lock Realm has now expanded to Five Operators. Peer C Peer E Route Leak Hijack

Operators can then set up their network to validate the routes

29 BGP RPKI Origin Validation BGPSEC & RPKI will register all IPv4 and IPv6 routes in a RPKI Repository. Operators can then set up their network to validate the routes they receive to ensure the customer, peer, or transit is authorized to send the route.

BGPSEC Operational Roll Out (2019-2020) Trust Anchors ROAs Ignore

deployments have started! BGPSEC is not a theory now.

30 BGPSEC Operational Roll Out ( ) Trust Anchors ROAs Ignore Filters Whitelist Router The first RPKI BGP Route Origin Validation deployments have started! BGPSEC is not a theory now. We re gaining Operational Experience where real customers would be impacted if it does not work.

31 You Can Take Action! BGP Hijack Resistance is not hard! Know the Risk! Walk through how your organization will be impacted. Start Action Meet with your Internet/Telecom providers and create a plan of action.

32 LAYERED BGP SECURITY BGP Security Action Checklist RPKI Origin Validation for BGP updates Peer Lock++ Agreements with all Direct Peers - One ASN Deep MANRS+ Global Campaign to Expand the Peer Lock++ Circles BGP Security BGP Peering BCPs Do all the ingress/egress policies 1. Deploy Essentials BGP BCP w/ MANRS Get the basics done first. 2. Upgrade your Peering Agreement Builds Circles of Trust asking your peers and your Operators what they are doing. 3. Start the RPKI Process Register your routes. Ask your Peers and Operator to Register

33 Questions?

34 Next Steps Use the BGP Resiliency Guides How to secure BGP is publicly available all over the Internet. Two Sources to start: MANRS SENKI - BGP Route Hijack What can be done Today

Practical everyday BGP filtering with AS_PATH filters: Peer Locking

Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk are examples for discussion purpose only. NTT does not admit or deny any