bgpand - Architecting a modular BGP4 Attack & Anomalies Detection Platform

Similar documents
Evaluation of BGP Anomaly Detection and Robustness Algorithms

A Survey of BGP Security: Issues and Solutions

Securing BGP Networks using Consistent Check Algorithm

Inter-domain routing validator based spoofing defence system

Inter-domain Routing. Outline. Border Gateway Protocol

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011

Finding a Needle in a Haystack: Pinpointing Significant BGP Routing Changes in an IP Network

CNT Computer and Network Security: BGP Security

BGP Security. Kevin s Attic for Security Research

On the State of the Inter-domain and Intra-domain Routing Security

Topic 3 part 2 Traffic analysis; Routing Attacks &Traffic Redirection Fourth Stage

The Implementation of BGP Monitoring, Alarming, and Protecting System by a BGP-UPDATE-Based Method using ECOMMUNITY in Real Time

CSCD 433/533 Network Programming Fall Lecture 14 Global Address Space Autonomous Systems, BGP Protocol Routing

A Survey of BGP Security Review

A Configuration based Approach to Mitigating Man-inthe-Middle Attacks in Enterprise Cloud IaaS Networks running BGP

Request for Comments: January 2007

Keywords RIP, OSPF, IGP, EGP, AS, LSA

A Bandwidth-Broker Based Inter-Domain SLA Negotiation

Introduction to BGP ISP/IXP Workshops

The practical way to understand relations between autonomous systems

Analysis of BGP security vulnerabilities

CS 43: Computer Networks Internet Routing. Kevin Webb Swarthmore College November 16, 2017

An Operational Perspective on BGP Security. Geoff Huston February 2005

Border Gateway Protocol Security

Internet-Draft Intended status: Standards Track July 4, 2014 Expires: January 5, 2015

Internet Protocols Fall Lectures Inter-domain routing, mobility support, multicast routing Andreas Terzis

the real-time Internet routing observatory

ibgp Multipath Load Sharing

TDC 375 Network Protocols TDC 563 P&T for Data Networks

COMP/ELEC 429 Introduction to Computer Networks

Methods for Detection and Mitigation of BGP Route Leaks

CS4700/CS5700 Fundamentals of Computer Networks

Configuring BGP community 43 Configuring a BGP route reflector 44 Configuring a BGP confederation 44 Configuring BGP GR 45 Enabling Guard route

Interdomain Routing. Networked Systems (H) Lecture 11

BGP Anomaly Detection. Bahaa Al-Musawi PhD candidate Supervisors: Dr. Philip Branch and Prof. Grenville Armitage.

APNIC elearning: BGP Basics. 30 September :00 PM AEST Brisbane (UTC+10) Revision: 2.0

CS4450. Computer Networks: Architecture and Protocols. Lecture 15 BGP. Spring 2018 Rachit Agarwal

Configuring BGP. Cisco s BGP Implementation

internet technologies and standards

CS 43: Computer Networks. 24: Internet Routing November 19, 2018

Routing Security We can do better!

CSCI-1680 Network Layer: Inter-domain Routing Rodrigo Fonseca

Detecting Internet Traffic Interception based on Route Hijacking

A configuration-only approach to shrinking FIBs. Prof Paul Francis (Cornell)

CS 43: Computer Networks Internet Routing. Kevin Webb Swarthmore College November 14, 2013

Border Gateway Protocol - BGP

Compatibility of Border Meeting of Two Layers Protocol (BGP Version 4) With IPV6 Yashpal Yadav 1, Madan singh 2, Vikas Kumar 3

PART III. Implementing Inter-Network Relationships with BGP

ETSF10 Internet Protocols Routing on the Internet

A Way to Implement BGP with Geographic Information

Basic Idea. Routing. Example. Routing by the Network

Project 1: Network Penetration Testing

Routing by the Network

Configuration prerequisites 45 Configuring BGP community 45 Configuring a BGP route reflector 46 Configuring a BGP confederation 46 Configuring BGP

CSCI-1680 Network Layer: Inter-domain Routing Rodrigo Fonseca

Examination. ANSWERS IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491

Inter-Domain Routing: BGP

Hands-On BGP Routing. Course Description. Students Will Learn. Target Audience. Prerequisites. Page: 1 of 5. BGP Routing

Comprehensive Solution for Anomaly-free BGP

BTEC Level 3 Extended Diploma

Update on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008

The real-time Internet routing observatory. Luca Sani RIPE Meeting 77 Amsterdam, NL October 15 th, 2018

Routing Basics ISP/IXP Workshops

Internet Routing : Fundamentals of Computer Networks Bill Nace

Interdomain Routing Reading: Sections P&D 4.3.{3,4}

CSCI Topics: Internet Programming Fall 2008

Last time. Transitioning to IPv6. Routing. Tunneling. Gateways. Graph abstraction. Link-state routing. Distance-vector routing. Dijkstra's Algorithm

c2001, Dr.Y.N.Singh, EED, IITK 2 Border Gateway Protocol - 4 BGP-4 (RFC intended to be used for routing between Autonomou

Routing Protocols. Autonomous System (AS)

Protecting an EBGP peer when memory usage reaches level 2 threshold 66 Configuring a large-scale BGP network 67 Configuring BGP community 67

AS Connectedness Based on Multiple Vantage Points and the Resulting Topologies

Internet Engineering Task Force (IETF) Category: Informational ISSN: February 2012

CSCI-1680 Network Layer: Inter-domain Routing Rodrigo Fonseca

Security Issues of BGP in Complex Peering and Transit Networks

Routing Concepts. IPv4 Routing Forwarding Some definitions Policy options Routing Protocols

Measuring and Analyzing on Effection of BGP Session Hijack Attack

ETSF10 Internet Protocols Routing on the Internet

Antonio Cianfrani. Routing Protocols

Routing Basics. Routing Concepts. IPv4. IPv4 address format. A day in a life of a router. What does a router do? IPv4 Routing

Internet Interconnection Structure

EXAM - CAS-002. CompTIA Advanced Security Practitioner (CASP) Exam. Buy Full Product.

Module 14 Transit. Objective: To investigate methods for providing transit services. Prerequisites: Modules 12 and 13, and the Transit Presentation

End-To-End Signaling and Routing for Optical IP Networks

InterAS Option B. Information About InterAS. InterAS and ASBR

Internet Routing Protocols, DHCP, and NAT

Internet Infrastructure

Introduction to BGP. ISP Workshops. Last updated 30 October 2013

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Introduction. Keith Barker, CCIE #6783. YouTube - Keith6783.

Routing Between Autonomous Systems (Example: BGP4) RFC 1771

IPv6 Switching: Provider Edge Router over MPLS

Routing. Jens A Andersson Communication Systems

ICS 351: Today's plan. OSPF BGP Routing in general routing protocol comparison encapsulation network dynamics

RTRlib. An Open-Source Library in C for RPKI-based Prefix Origin Validation. Matthias Wählisch, Fabian Holler, Thomas C. Schmidt, Jochen H.

Internet Engineering Task Force (IETF) Request for Comments: AT&T N. Leymann Deutsche Telekom February 2012

FIGURE 3. Two-Level Internet Address Structure. FIGURE 4. Principle Classful IP Address Formats

Introduction to IP Routing. Geoff Huston

MPLS VPN Explicit Null Label Support with BGP. BGP IPv4 Label Session

Introduction to BGP. ISP/IXP Workshops

ibgp Multipath Load Sharing

Transcription:

bgpand - Architecting a modular BGP4 Attack & Anomalies Detection Platform Mayank Bhatnagar TechMahindra Limited, SDF B-1, NSEZ, Noida-201305, India E-mail : mayank.bhatnagar2@techmahindra.com Abstract - Border Gateway Protocol (BGP) is an Autonomous System (AS) routing protocol. It forms the backbone of Internet core routing decisions. However, it is also equally prone to security issues and several attempts to attack & exploit the protocol have been noted. bgpand is a platform designed and developed to analyze BGP updates, and detect anomalies and carry out attack filtrations. It is a modular platform such that new attack detection mechanisms can be implemented & integrated. bgpand can also be linked to BGP routers providing realtime BGP updates and hence can be used as a live security solution. Index Terms BGP Security, Bogon Filtering, Autonomous System Anomaly Detection. I. INTRODUCTION The Internet is as we all know a network of networks. The glue binding these networks are several network elements, communicating with each other, in a predefined, standardized mechanism, we generally refer to as protocols. The communicating information encapsulated in form of network packets flow across from one end to another, getting routed in the Internet, being controlled by a number of Internetworking entities, prime amongst them being routers. The router, having major functionality to route these packets, carry out the process seamlessly, continuously working, cooperating, updating, forwarding these packets, packet by packet, to another route, taking decisions on these routes. In this scenario, two things are needed; first, routing tables match destination addresses with next hops. Second, routing protocols determine the contents of these tables. Apart from the normal functioning of the routes, security of the routers, routing information, routing protocols plays a paramount role in managing a secure networking infrastructure. Since it's usage in the industry, there have been several attempts to attack, exploit the protocol and thereby disrupt the routing infrastructure. This work has been carried out as part of a holistic attempt to order to analyze the BGPv4 security issue & attacks in detail and develop a platform, an environment to detect the BGP insecure updates in general and anomalies in particular. Algorithms have been developed and a tool BGP4 Anomalies Detection hereafter referred as bgpand, has been developed which is modular & extendable in design. This paper describes some of the features implemented in bgpand tool an also proposes algorithms and modules for future implementations. The paper starts with discussing general security issues surrounding BGPv4 protocol. Further on bgpand s architecture is described in the second section, while the design and development work is discussed in the third section. The fourth section summarizes the results & observations. In the fifth section, the paper concludes in addition to providing future work that is planned and can be done in the sixth section. BGPv4 Security Issues Border Gateway Protocol (BGP) is an inter- Autonomous System routing protocol. It backs the core routing decisions on the Internet. Most Internet Service Providers (ISP)s use BGP to establish routing between one another. Even though most Internet users may not use it directly, it anyway is one of the most important protocols of the Internet. BGP version 4 has been described in [1]. Since it s usage in industry, there have been several attempts to attack and exploit the weaknesses in the protocol. Studies like [2],[3] have at length analysed and studied various attacks including Peer & Session attacks, route 5

flapping & Route Deaggregation attacks, various route injection & denial of service attacks. Various tools [4], monitoring scripts & solutions have been developed including GrepCIDR, Pretty Good BGP (PGBGP), PHAS and others which demonstrate and detect attacks and help in useful configuration and monitoring. Recent studies in [3], which carry out large scale comparisons, have observed with facts that BGP is vulnerable to communications interruptions and failures and finding suitable improved security measures with acceptable costs is difficult. Continued threat analysis & attack detection solutions to secure and develop robust BGP are needed. The reader is encouraged to refer [2], [3] for details on BGPv4 vulnerabilities and security issues & effective security mechanisms &solutions In the current work, however the BGPMon has not been configured to receive the updates in the form of a BGP Speaker. However, a native client has been implemented which will receive the BGP updates from the BGPMon installed at various sites. This receives the RIP updates, or BGP updates and carries out analysis. III. DESIGN & DEVELOPMENT OF DETECTION MECHANISMS This section discusses the design and development of bgpand s detection mechanisms. The high level flow of BGP updates data, it s analysis & results is depicted below in Figure 2; III. BGPAND ARCHITECTURE The following architecture (Figure 1) is proposed for development and modeling to detect BGP attacks in real time at a BGP speaker. This architecture describes how BGPMon[5], a BGP monitoring tool, will be used to work on real time RIP data [6] and algorithms and solutions developed to add on to the BGP security capabilities. Fig 1 High Level bgpand architecture with BGPMON[5] integration In this architecture, the BGPMOn is to be used to analyze in real time the BGP updates available from RIP database. For initial experiments, the available RIP data is analyzed and studied. Since BGPMOn has capability to detect RIP binary data and BGP updates in real time, it is useful for carrying out detection development work. Figure 2 BGP Updates Analysis & Detection Mechanisms The following points describe the implemented architecture. Live Routing Updates i.e. BGPMon live data, from Colorado State University [5] are being downloaded, by making a TCP connection to the described server, livebgp.netsec.colostate.edu, at port 50002. This will download a steady stream of BGP updates being received from the BGPMon installed at their end. These BGP updates are in the form of XML, in standard XFB format, XML format for BGP. 6

Processing of this XML stream of data has been done and there exists a separate TCP client program which writes this data into a file. This TCP client will connect to BGPMon speaker installed at Colorado State University and download the BGP stream, having BGP updates in XML manner, into a file. No BGP Updates are being sent as of now from bgpand or shared with any of the BGP routers or speakers. Implemented Detection Mechanisms In the current implementation of bgpand, the following two security mechanisms have been implemented a. Bogon Filtering The site [7] maintains a list of Bogon addresses. [7] describe Bogon address as follows A bogon prefix is a route that should never appear in the Internet routing table. A packet routed over the public Internet (not including over VPNs or other tunnels) should never have a source address in a bogon range. These are commonly found as the source addresses of DDoS attacks. This detection mechanism identifies for any BGP message, whether the source or destination addresses that the BGP Message is being coming from or to, is not actually a BOGON or Bogus or a harmful IP address. The harmfulness or maliciousness of this Bogus IP addresses is being done by maintaining a list of Bogon IP addresses being downloaded from International Bogon address filtering sites. Hence it is important for the system to keep bogon lists maintained and updated frequently. For each & every message being received in the BGP stream, the extraction of Source and Destination IP address is being done and if any match occurs with an address mentioned in the BOGON Prefix list, it is alerted and logged. For Prefix matching with IP address, a regular expression match has been performed. An open source tool, grepcidr[8] has been installed and being used. The flow diagram of the detection is being depicted below in Figure 3 Figure 3 System Flow Bogon Filtering b. Suspicious Origin AS Detection This detection mechanism identifies for any BGP message, whether the Origin AS for any prefix gets changed. This is a typical suspicious anomaly behaviour that has been documented and discussed among various security experts and researchers. [9] mentions that one of the popular BGP security detection system (PHAS) or Prefix Hijack Alert system, implements the Origin AS Anomaly detection. In this type of detection mechanism, a BGP update stream is being monitored. For each BGP Update, an alert is displayed and logging is being done, if the following behavior [9] is observed An origin AS or Autonomous System, in an update message that is new relative to the set of previously observed set of origin ASes for the same prefix. The interpretation of the above detection logic is that for any AS, or any BGP device receiving BGP update, connected to other ASes, there exists a specific path or NLRI (Network Layer Reachability 7

Information). If there is any change in the NLRI, a AS sends a BGP update. However it is very unusual to see that a BGP update is being received for any origin AS being changed for a network prefix IV. BGPAND WORKING & OBSERVED RESULTS This section describes the implementation as it looks like and the results observed Initial Input Screen The initial screen is as shown below, Figure 5. It describes how input can be given and what detection mechanisms have been implemented. Program Input Figure 5 Initial Input Screen The BOGON detection for IP addresses can be specified as follows; Figure 4 System Flow Suspicious Origin AS Detection To implement this detection, a list of origin ASes are being prefixes are being maintained for each new prefix being observed. Whenever, for a prefix, which is NOT NEW, an Origin AS BGP update is being observed, it is being flagged as an Anomaly or Alert. The flow of the detection is similar to the above. However this detection works only for BGP Update Messages and uses AS_TYPE, AS_SEQUENCE, NLRI and Prefix XML Nodes to extract the required information nodes. The flow diagram of the detection is being depicted in Figure 4; Figure 6 Command line Input for Bogon address filtering Detection Here bogon specifies for Bogon Prefix address Detection. Program Result The detection results are being stored in a file result_bogon_filter.txt. If any match occurs, the details of the logs are being stored in this file. It is being shown here; 8

Figure 7- Bogon Filter detection Suspicious Origin Autonomous System (AS) detection As mentioned above, this detection mechanism identifies for any BGP message, whether the Origin AS for any prefix gets changed. Program Input The Origin AS detection for BGP Update messages can be specified as follows; Figure 8 Command line for Origin AS anomaly detection Here origas specifies detection for BGP Origin AS, while bgpand is the program name, bgpmondata is the file which is storing BGP Stream. Program Result The detection results are being stored in a file resultoriginas. If any detection of the above case occurs, the alert is raised and the details of the logs are being stored in this file. It is being shown in Figure 8; Anomaly alert message [ANOMALY]SUSPICIOUS_ORIGIN_AS_DETECT::PR EFIX::65.210.166.0/24::ORIG_AS::1673::ACTION- >ANALYSE This states that an anomaly of type ORIGIN_AS has been detected for prefix 65.210.166.0/24 caused by a suspicious new Origin AS 1673. The action for which has to be analysis of the alert. Figure 9 Detection Results Additionally Detailed Debugging macros have also been built into the program for efficient debugging V. CONCLUSION The basic system implementation in form of bgpand, aims to ensure that the BGP updates are being analysed and any anomalies and issues related to bogon traffic being detected, alerted and logged. The two detection mechanisms implemented can be put on and used against any live BGPMon system and used for detecting any Bogon alerts or suspicious OriginAS anomalies. bgpand s can be used to integrate with any standardized BGP updates and reslts can be analysed. However, incorporation of these algorithms to detect any issues in real time is of utmost importance. VI. FURTHER WORK bgpand can be used to integrate with any standardized BGP updates and results can be analyzed. However, incorporation of these algorithms to detect any issues in real time is of utmost importance. The following work is planned to be integrated with current version of bgpand. BGPMon Speaker Integration BGPMon enabled monitors and speakers use a special format of exchanging of BGP messages. This is XML format for BGP messages (XFB). The current implementation is not integrated to directly connect to BGPMon monitors or speakers. Once integrated, they can carry out processing of updates from any of BGPMon enabled speakers. The same detection mechanisms can be then used for live detection of any of BGPMon enabled sites. 9

Sharing Mechanism of identified Malicious BGP Messages Currently the system displays and logs alerts and anomalies it detects. This information is then maintained as local to the BGP updates processing machines. In an internetworking scenario, it is very effective to have a live sharing of any anomaly or any suspicious BGP update. This is helpful so that the anomaly information detected at one of the BGP nodes is shared among all other BGP neighbours and further on. Further on, standard protocols which provide rules on how to optimally share the information in a fast manner can be used. VII. REFERENCES [1]. Y. Rekhter, Ed., T. Li, Ed.and S. Hares, Ed., A Border Gateway Protocol 4 (BGP-4), Standard Network Reference, Network Working Group, RFC, IETF RFC 4271, January 2006 [2] Rick Kuhn, Kotikalapudi Sriram, Doug Montgomery, Institute Publication Border Gateway Protocol Security; Recommendations of the National Institute of Standards and Technology, July 2007 [3] Kevin Butler, Toni R. Farley, Patrick McDaniel, Jennifer Rexford, A Survey of BGP Security Issues and Solutions, Proceedings of the IEEE Vol. 98, No. 1, January 2010 [4] BGP Tools, http://www.bgp4.as/tools [5] BGPMOn - BGP Monitoring Tool, http://bgpmon. netsec.colostate.edu/ [6] RIPE NCC, RIS Raw BGP Data, http://www.ripe.net/ data-tools/stats/ris/ris-raw-data [7] Team Cymru Bogon Service, http://www.teamcymru.org/services/bogons/ [8] Grep CIDR, http://www.pc-ools.net/ unix/grepcidr/ [9] K Sriram, Oliver Borchert, Okhee Kim, Patrick Gechmann, Doug Montgomery, A comparative Analysis of BGP Anomaly Detection Robustness Algorithm, Proceedings of the Cybersecurity Applications and Technology Conference for Homeland Security (CATCH),Washington D.C., March 3-4, 2009, pp. 25-38. 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback