Routing

routing_threats.jpg

map map map map map map map map map map map map map map map map map

Routing is subject to attacks that can harm the interconnection of networks as well as the operation of single networks. A smooth operation of routing infrastructure is crucial for the robustness of the Internet. Most threats break down routing functions by hijacking, misusing, misconfiguring, or intercepting assigned numbers, addresses, or name spaces. The current trend indicates that this threat is on the rise.

Autonomous System (AS) hijacking

AS hijacking attacks aim at impersonating a victim’s organization. The motivation behind this type of attack is malicious: activities conducted with the hijacked network are masked and appear to be carried out on the behalf of the victim itself. Such attacks are characterised by an attacker announcing the victim’s prefixes that originate at the victim’s AS

Example:

Good Practice:

  • Utilise resource certification (RPKI) to provide AS origin validation. In particular RPKI is used to secure BGP through BGPSec.

 

Address space hijacking (IP prefixes)

This threat occurs when a rogue BGP peer maliciously announces a victim's prefixes in an effort to reroute some or all traffic through its own networks for untoward purposes (for example, to view contents of traffic that the router would otherwise not be able to read).

Examples:

Good Practice:

  • Utilise resource certification (RPKI) to provide AS origin validation. In particular RPKI is used to secure BGP through BGPSec. RFC6907 BCP185
  • Establish an Appropriate Use Policy (AUP) as explained in BCP 46, which promotes rules to secure peering. BCP46
  • Establish ingress filtering from the edge site to the Internet.115 DRAFT OPSEC BGP SECURITY RIPE431
  • Establish Unicast Reverse Path Forwarding to verify the validity of a source IP address.RFC2439 RIPE580
  • Establish egress filtering at the boundary router to proactively filter all traffic going to the customer that has a source address of any of the addresses that have been assigned to that customer.
  • Filter the routing announcements and implement techniques that reduce the risk of putting excessive load on routing generated by illegitimated route updates/announcements. RIPE431
    For instance, Route Flap Dumping (RFD) with a well-defined threshold may contribute to reducing router processing time.RFC2439 RIPE580
  • Registry databases such as IRR, APNIC, ARIN, and RIPE have to be subject to continuous maintenance. This shall allow usage of updated information to secure peering. Routing Manifesto
    For example, the “Route Object” field can help validating routes received from peers.APNIC: Routing object RIPE: Managing ROAs
  • Configuration updates for the routing infrastructure may only be performed by a defined authority using strong authentication.
  • Monitor the status of BGP to detect unusual behaviour such as path changes or unusual announcement. DRAFT OPSEC BGP SECURITY

 

Route leaks

A route leak is said to occur when AS A advertises BGP routes that it has received from AS B to its neighbors, but AS A is not viewed as a transit provider for the announced prefixes.27

Examples:

Hijack by AS4761 – Indosat, a quick report
How the Internet in Australia went down under
Large route leaks

Good Practice:

 

BGP session hijacking

BGP session hijacking denotes an alteration of the contents of the BGP routing table by a malicious device, which can, among other impacts, prevent traffic from reaching the intended destination without acknowledgement or notification.30 31 32

Examples

Short-Lived BGP Session Hijacking
Measuring and Analyzing on Effection of BGP Session Hijack Attack

Good Practice:

  • Establish prefix filtering and automation of prefix filters.BCP185 RFC2439 RIPE580
  • Employ AS path filtering.DRAFT OPSEC BGP SECURITY
  • Use TCP-AO (TCP-Authentication Option) to secure BGP Authentication in order to replace TCP-MD5. TCP-AO simplifies the exchange of keys.129 RFC5926