Welcome to the Part Two of my BGP hijack series! Previously, I’ve set up my demo network by creating three routers, a user, and FTP server using docker. For more information on setting up the demo, please visit my first post.
The scenario I’ve created consisted of a malicious attacker that has gained control of a router (R1). The attacker wants to perform a BGP hijack in order to man in the middle traffic between the user and the ftp server.
Network Rule Priority
The longest prefix match is a routing rule. It states that the more specific subnet in a routing table will be selected as the route.
In order to carry out the attack, I utilized the following.
I defined a more specific route for the ftp server so that the traffic from the user will route through the router the attcker controls first before contacting the ftp server.
To start this attack using the first router (R1), I entered the router terminal vtysh. Within vtysh, I changed the router configuration.
In order to do this, I entered the command
configure terminal to edit the configuration. Following this step, I entered the routers configuration by typing the command
router bgp 100, and added the network,
network 172.19.0.0/17. This allowed me to apply the longest prefix match rule and reroute the traffic to my router.
In order for this rule to take effect, I exited out of the configuration terminal by typing
exit twice, then typed the command
clear ip bgp * out in order to clear the bgp routing tables for R1 and start promoting the new prefix.
Route Map Policies
The router begins to promote the new prefix and all of the traffic is routed to the router. As a result, the traffic does not hit the ftp server because Router 3 (R3) forwards traffic back to Router 1 (R1) due to the longest prefix match rule. Consequently, this creates an infinite loop between R1 and R3, where each router continually forwards the traffic to each other. Since this is not considered a very stealthy MITM attack, I updated the routing policies on R1 so that the router forwards traffic to R3. This allows the ftp server to receive the signal.
To update the route map policies I entered the configuration terminal once again. I defined an IP prefix called bgphijack using the following command:
Ip prefix-list bgphijack seq 5 permit 172.19.0.0/17
Next, I created two new policies:
Route-map to-as300 deny 5
Match ip address prefix-list bgphijack
Route-map to-as200 permit 5
Match ip address prefix-list bgphijack
Set community no-export
The first policy denies R1 from sharing the ip addresses defined in the prefix list bgphijack. This ensures that the router R3 does not receive the prefix list from R1, which will have the effect of applying the longest prefix match rule and creating an infinite loop.
The second route-map policy allows the R1 to share the prefix list bgphijack with R2. However, the command
set community no-export tells R2 that it should not share its prefix list with other routers.
This policy handles the case where R1 shares the bgphijack prefix list with R2. Subsequently, R2 shares it with R3, which will cause the infinite loop.
To have these policies begin to take effect again, I exited the configuration terminal and typed the command
clear ip bgp * out.
Listening in on Traffic with tcpdump
This concludes the setup for the BGP hijack attack. Traffic from R2 is now routed via R1 so that the attacker can listen to traffic exchanged between a user and the ftp server. A popular tool used for listening in on traffic is tcpdump. To listen for data exchanged between the user and the ftp server, I typed in the command
tcpdump -i any port 21 into the R1 terminal.
Defense Against BGP Hijack
BGP is an older protocol which was designed in a time where information security was not as mature. Despite this, there are still steps individuals/companies can take in order to protect themselves from Hijacking attacks.
Enabling Access Control Lists
Access control lists are configurations in which a router can set to control the various routers it wants to communicate with. It can block unwanted traffic, which in turn minimizes the attack vector on a given router.
Best practices allow it to only accept traffic from legitimate and authorized BGP neighbors.
Enable BGP Prefixes Filtering with Prefix Lists
Prefix Filtering is an access control on IP prefixes. Administrators can permit or deny specific prefixes from each BGP neighbor. Additionally, Administrators can prefix filter by defining AS pathways. This provides an additional step of verifying that the prefix is coming through the desired AS.
Enabling BGP Neighbors Authentication
Authentication allows for BGP neighbors to demonstrate they are legitimate and trustworthy.
Authentication between BGP neighbors typically occurs when two neighbors enable passwords for their routers. Without authentication, an attacker can spoof a neighbor’s IP address. These passwords are shared as MD5 hashes, which is a known security weakness. In order to increase security, BGP neighbors should consider using BGPSec protocol or Resource Public Key Infrastructure.
Enabling Time to Live Security Check
Time to live security check inspects for the expected final TTL value for incoming packets to a router. This helps to prevent route manipulation techniques like the one shown above. This technique can be bypassed by modifying the TTL value in the packet. The TTL value can be modified using a tool such as iptables.
Logging is considered the best practice as it provides alerts for unauthorized changes to the BGP neighbor. This helps with monitoring for any possible ongoing BGP hijacks.
For more information on defending against BGP hijacking please visit the following resources:
A BGP Hijacking attack is defined as “the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables maintained using the Border Gateway Protocol (BGP).” If a router is compromised and interacts with multiple Autonomous Systems, the router can man in the middle traffic by altering the router configuration. In the attack, I added a specific network to take advantage of the longest prefix match rule. I did this by adding new route-map policies in order to forward traffic through R1 to R3. The impact was that I was able listen in on traffic.
BGP is an older protocol and has less security measures. Despite this, there are several steps administrators can take in order to avoid hijacking. This includes managing access control lists, filtering prefixes, and logging & alerting.