a taxonomy of attacks using bgp blackholing
play

A Taxonomy of Attacks Using BGP Blackholing Loc Miller and Cristel - PowerPoint PPT Presentation

A Taxonomy of Attacks Using BGP Blackholing Loc Miller and Cristel Pelsser September 23, 2019 University of Strasbourg AS 20 AS 10 AS 30 P: 192.0.2.0/24 BGP Blackholing Blackholing is a DDoS mitigation technique signaled via BGP 1 . 1


  1. A Taxonomy of Attacks Using BGP Blackholing Loïc Miller and Cristel Pelsser September 23, 2019 University of Strasbourg

  2. AS 20 AS 10 AS 30 P: 192.0.2.0/24 BGP Blackholing Blackholing is a DDoS mitigation technique signaled via BGP 1 . 1 Rekhter, Li, and Hares, A Border Gateway Protocol 4 (BGP-4) . 1/17

  3. BGP Blackholing Blackholing is a DDoS mitigation technique signaled via BGP 1 . Internet is composed of Autonomous Systems (AS): one or more networks under the control of a single entity. AS 20 AS 10 AS 30 P: 192.0.2.0/24 Figure 1: BGP Blackholing 1 Rekhter, Li, and Hares, A Border Gateway Protocol 4 (BGP-4) . 1/17

  4. BGP Blackholing Blackholing is a DDoS mitigation technique signaled via BGP 1 . Internet is composed of Autonomous Systems (AS): one or more networks under the control of a single entity. AS 20 AS 10 AS 30 P: 192.0.2.0/24 Figure 1: BGP Blackholing 1 Rekhter, Li, and Hares, A Border Gateway Protocol 4 (BGP-4) . 1/17

  5. BGP Blackholing Blackholing is a DDoS mitigation technique signaled via BGP 1 . Internet is composed of Autonomous Systems (AS): one or more networks under the control of a single entity. BLACKHOLE AS 20 AS 10 AS 30 P: 192.0.2.0/24 Figure 1: BGP Blackholing 1 Rekhter, Li, and Hares, A Border Gateway Protocol 4 (BGP-4) . 1/17

  6. BGP Blackholing Blackholing is a DDoS mitigation technique signaled via BGP 1 . Internet is composed of Autonomous Systems (AS): one or more networks under the control of a single entity. BLACKHOLE AS 20 AS 10 AS 30 P: 192.0.2.0/24 Figure 1: BGP Blackholing Blackholing has a double-edged sword effect: all traffic is dropped. 1 Rekhter, Li, and Hares, A Border Gateway Protocol 4 (BGP-4) . 1/17

  7. Objectives 1/17

  8. Objectives Can blackholing be used with malicious intent? 1/17

  9. Objectives Can blackholing be used with malicious intent? Are there different types of attacks? 1/17

  10. Objectives Can blackholing be used with malicious intent? Are there different types of attacks? Are there any existing and relevant security mechanisms? 1/17

  11. Objectives Can blackholing be used with malicious intent? Are there different types of attacks? Are there any existing and relevant security mechanisms? Are these mechanisms enough? 1/17

  12. Quick BGP Primer AS 1 AS 2 AS 3 AS 4 AS 5 AS 6 10.1.0.0/16 Figure 2: BGP message propagation 2/17

  13. Quick BGP Primer AS 1 AS 2 AS 3 AS 4 10.1/16 AS5 AS 5 AS 6 10.1.0.0/16 Figure 2: BGP message propagation 2/17

  14. Quick BGP Primer AS 1 AS 2 10.1/16 10.1/16 AS3 AS5 AS3 AS5 AS 3 AS 4 10.1/16 AS3 AS5 AS 5 AS 6 10.1.0.0/16 Figure 2: BGP message propagation 2/17

  15. Quick BGP Primer 10.1/16 AS1 AS3 AS5 AS 1 AS 2 AS 3 AS 4 10.1/16 AS4 AS3 AS5 AS 5 AS 6 10.1.0.0/16 Figure 2: BGP message propagation 2/17

  16. Quick BGP Primer AS 1 AS 2 AS 3 AS 4 AS 5 AS 6 10.1.0.0/16 Figure 2: BGP message propagation 2/17

  17. BGP Hijacks As BGP is a distributed protocol, lacking authentication of route origins and verification of paths, ASes can advertise illegitimate routes for prefixes they do not own, attracting some or all of the traffic to these prefixes. 2/17

  18. BGP Hijacks AS 1 AS 2 AS 3 AS 4 AS 5 AS 6 10.1.0.0/16 Figure 3: BGP hijack 3/17

  19. BGP Hijacks AS 1 AS 2 AS 3 AS 4 AS 5 AS 6 10.1.0.0/16 10.1.0.0/16 Figure 3: BGP hijack 3/17

  20. BGP Hijacks AS 1 AS 2 AS 3 AS 4 10.1/16 AS6 10.1/16 AS6 AS 5 AS 6 10.1.0.0/16 10.1.0.0/16 Figure 3: BGP hijack 3/17

  21. BGP Hijacks AS 1 AS 2 10.1/16 10.1/16 AS4 AS6 AS4 AS6 AS 3 AS 4 AS 5 AS 6 10.1.0.0/16 10.1.0.0/16 Figure 3: BGP hijack 3/17

  22. BGP Hijacks 10.1/16 AS2 AS4 AS6 AS 1 AS 2 AS 3 AS 4 AS 5 AS 6 10.1.0.0/16 10.1.0.0/16 Figure 3: BGP hijack 3/17

  23. BGP Hijacks AS 1 AS 2 AS 3 AS 4 AS 5 AS 6 10.1.0.0/16 10.1.0.0/16 Figure 3: BGP hijack (Type-0 2 ) 3/17 2 Sermpezis et al., “ARTEMIS: Neutralizing BGP hijacking within a minute”.

  24. BGP Hijacks - 5304 routing attacks in 2017 alone 2 . AS 1 AS 2 AS 3 AS 4 AS 5 AS 6 10.1.0.0/16 10.1.0.0/16 Figure 3: BGP hijack (Type-0) 3/17 2 Robachevsky, 14,000 Incidents: A 2017 Routing Security Year in Review .

  25. BGP Blackjacks - Type-0 AS 1 AS 2 AS 3 AS 4 AS 5 AS 6 10.1.0.0/16 Figure 4: Type-0 blackjack 4/17

  26. BGP Blackjacks - Type-0 AS 1 AS 2 AS 3 AS 4 AS 5 AS 6 10.1.0.0/16 10.1.0.0/16 Figure 4: Type-0 blackjack 4/17

  27. BGP Blackjacks - Type-0 AS 1 AS 2 AS 3 AS 4 10.1/16 AS6 10.1/16 AS4:666 AS6 AS 5 AS 6 AS3:666 10.1.0.0/16 10.1.0.0/16 Figure 4: Type-0 blackjack 4/17

  28. BGP Blackjacks - Type-0 AS 1 AS 2 AS 3 AS 4 AS 5 AS 6 10.1.0.0/16 10.1.0.0/16 Figure 4: Type-0 blackjack 4/17

  29. Best practices for legitimate blackholing empower blackjacks Best Practices for blackholing 3 Give a higher priority to blackholing. Do not propagate the advertisement across AS borders. 3 Cisco, Remotely Triggered Black Hole Filtering - Destination Based and Source Based . 5/17

  30. Best practices for legitimate blackholing empower blackjacks Best Practices for blackholing 3 Give a higher priority to blackholing. Do not propagate the advertisement across AS borders. Advantages of blackjacks Reach : Precedence over AS path length. Even ASes far away are vulnerable. No propagation: More disruption. Stealth : The attacker is not dropping traffic himself. 3 Cisco, Remotely Triggered Black Hole Filtering - Destination Based and Source Based . 5/17

  31. RPKI - Resource Public Key Infrastructure 4 The RPKI is a distributed, hierarchic public key infrastructure. It allows prefix holders to emit digitally signed objects attesting that a given AS is authorized to originate routes for a set of prefixes. 4 Lepinski and Kent, An Infrastructure to Support Secure Internet Routing . 6/17

  32. RPKI - Resource Public Key Infrastructure AS 1 AS 2 AS 3 AS 4 RPKI pub. point AS 5 AS 6 10.1.0.0/16 Figure 5: RPKI usage 7/17

  33. RPKI - Resource Public Key Infrastructure AS 1 AS 2 10.1/16 AS5 AS 3 AS 4 RPKI pub. point AS 5 AS 6 10.1.0.0/16 Figure 5: RPKI usage 7/17

  34. RPKI - Resource Public Key Infrastructure AS 1 AS 2 AS 3 AS 4 RPKI pub. point AS 5 AS 6 10.1.0.0/16 10.1.0.0/16 Figure 5: RPKI usage 7/17

  35. RPKI - Resource Public Key Infrastructure AS 1 AS 2 AS 3 AS 4 RPKI pub. 10.1/16 point AS6 10.1/16 AS4:666 AS6 AS 5 AS 6 AS3:666 10.1.0.0/16 10.1.0.0/16 Figure 5: RPKI usage 7/17

  36. RPKI - Resource Public Key Infrastructure AS 1 AS 2 AS 3 AS 4 RPKI pub. point AS 5 AS 6 10.1.0.0/16 10.1.0.0/16 Figure 5: RPKI usage 7/17

  37. BGP Blackjacks - Type-N AS 1 AS 2 AS 3 AS 4 RPKI pub. point AS 5 AS 6 10.1.0.0/16 Figure 6: Type-N blackjack 8/17

  38. BGP Blackjacks - Type-N AS 1 AS 2 AS 3 AS 4 RPKI pub. point AS 5 AS 6 10.1.0.0/16 10.1.0.0/16 Figure 6: Type-N blackjack 8/17

  39. BGP Blackjacks - Type-N AS 1 AS 2 AS 3 AS 4 RPKI pub. 10.1/16 point AS6 AS5 10.1/16 AS4:666 AS6 AS5 AS 5 AS 6 AS3:666 10.1.0.0/16 10.1.0.0/16 Figure 6: Type-N blackjack 8/17

  40. BGP Blackjacks - Type-N AS 1 AS 2 AS 3 AS 4 RPKI pub. 10.1/16 point AS6 AS5 10.1/16 AS4:666 AS6 AS5 AS 5 AS 6 AS3:666 10.1.0.0/16 10.1.0.0/16 Figure 6: Type-N blackjack 8/17

  41. BGP Blackjacks - Type-N AS 1 AS 2 AS 3 AS 4 RPKI pub. point AS 5 AS 6 10.1.0.0/16 10.1.0.0/16 Figure 6: Type-N blackjack 8/17

  42. BGPsec 5 BGPsec modifies BGP to allow ASes to sign advertisements. This guarantees the AS path reflects the actual path the advertisement went through. 5 Lepinski and Sriram, BGPsec Protocol Specification . 9/17

  43. BGPsec AS 1 AS 2 1 2 AS 3 AS 4 3 4 AS 5 AS 6 5 6 10.1.0.0/16 Figure 7: BGPsec message propagation 10/17

  44. BGPsec AS 1 AS 2 1 2 AS 3 AS 4 3 4 5 10.1/16 - AS3 AS5 AS 5 AS 6 5 6 10.1.0.0/16 Figure 7: BGPsec message propagation 10/17

  45. BGPsec AS 1 AS 2 1 2 5 10.1/16 - AS3 AS5 5 10.1/16 - AS3 AS5 3 10.1/16 - AS4 AS3 AS5 3 10.1/16 - AS1 AS3 AS5 AS 3 AS 4 3 4 5 10.1/16 - AS3 AS5 3 10.1/16 - AS6 AS3 AS5 AS 5 AS 6 5 6 10.1.0.0/16 Figure 7: BGPsec message propagation 10/17

  46. BGPsec 5 10.1/16 - AS3 AS5 3 10.1/16 - AS1 AS3 AS5 1 10.1/16 - AS2 AS1 AS3 AS5 AS 1 AS 2 1 2 AS 3 AS 4 3 4 5 10.1/16 - AS3 AS5 3 10.1/16 - AS4 AS3 AS5 4 10.1/16 - AS6 AS4 AS3 AS5 AS 5 AS 6 5 6 10.1.0.0/16 Figure 7: BGPsec message propagation 10/17

  47. BGPsec AS 1 AS 2 1 2 AS 3 AS 4 3 4 AS 5 AS 6 5 6 10.1.0.0/16 Figure 7: BGPsec message propagation 10/17

  48. BGP Blackjacks - Type-N AS 1 AS 2 1 2 AS 3 AS 4 3 4 RPKI pub. point AS 5 AS 6 5 6 10.1.0.0/16 Figure 8: Type-N blackjack 11/17

  49. BGP Blackjacks - Type-N AS 1 AS 2 1 2 AS 3 AS 4 3 4 RPKI pub. point AS 5 AS 6 5 6 10.1.0.0/16 Figure 8: Type-N blackjack 11/17

  50. BGP Blackjacks - Type-N AS 1 AS 2 1 2 AS 3 AS 4 3 4 RPKI pub. 10.1/16 point AS6 AS5 10.1/16 AS4:666 AS6 AS5 AS 5 AS 6 AS3:666 5 6 10.1.0.0/16 Figure 8: Type-N blackjack 11/17

  51. BGP Blackjacks - Type-N AS 1 AS 2 1 2 AS 3 AS 4 3 4 RPKI pub. point AS 5 AS 6 5 6 10.1.0.0/16 Figure 8: Type-N blackjack 11/17

  52. BGP Blackjacks - On Path AS 1 AS 2 1 2 AS 3 AS 4 3 4 AS 5 AS 6 5 6 10.1.0.0/16 Figure 9: On Path blackjack 12/17

Recommend


More recommend