Information Technology Reference
In-Depth Information
BGP Security Features
Security on ISP networks can be very difficult because of the network's public nature. No
firewalls protect routers, and device addressing is typically visible externally. This provides
attackers with significant information about network devices and the ability to send packets
unobstructed to those devices. The subject of ISP security is examined in this section from
two angles.
The first angle is protecting the BGP infrastructure itself. The BGP infrastructure is the
actual BGP peering sessions. The next section explains BGP MD5 and justifies its use.
The second angle is protecting against malicious BGP advertisements or advertisement
patterns. Proper filtering and route dampening guidelines are provided in the following
sections. The security issues surrounding public peering are covered, and three specific
scenarios are explained that have been encountered in the field.
TCP MD5 Signatures for BGP Sessions
The BGP infrastructure can be directly attacked by attacking a BGP session's TCP layer. A
TCP Reset that is accepted by the router for a BGP session results in a session reset. The
source and destination addresses for an eBGP session can be determined through the use of
traceroute.
The traceroute results provide the link address of one side of the peering connection. It is
standard practice for eBGP sessions to peer using directly connected IP addresses in the
same IP subnet. The IP address for both sides of the BGP session can be derived from one
link address.
A TCP packet is considered valid for the session if the source address, destination address,
source port, destination port, and TCP sequence numbers are correct. The attacker already
knows the source and destination addresses and one of the ports, because BGP uses TCP
port 179. Figure 9-5 shows the attack scenario.
Figure 9-5
BGP TCP Reset Attack Scenario
10.1.1.2/30
10.1.1.1/30
AS 200
AS 100
AS 100
Attack Packets:
Source Address 10.1.1.1
Destination Address 10.1.1.2
Destination Port 179
TCP RST
Attacker
