bgp communities even more worms in the routing can
play

BGP Communities: Even more Worms in the Routing Can ACM IMC 2018, - PowerPoint PPT Presentation

BGP Communities: Even more Worms in the Routing Can ACM IMC 2018, Boston, MA, USA Florian Streibelt 1 <fstreibelt@mpi-inf.mpg.de> , Franziska Lichtblau 1 , Robert Beverly 2 , Cristel Pelsser 3 , Georgios Smaragdakis 4 , Randy Bush 5 , Anja


  1. BGP Communities: Even more Worms in the Routing Can ACM IMC 2018, Boston, MA, USA Florian Streibelt 1 <fstreibelt@mpi-inf.mpg.de> , Franziska Lichtblau 1 , Robert Beverly 2 , Cristel Pelsser 3 , Georgios Smaragdakis 4 , Randy Bush 5 , Anja Feldmann 1 Nov 1, 2018 1 Max Planck Institute for Informatics (MPII), 2 Naval Postgraduate School (NPS), 3 University of Strasbourg, 4 TU Berlin (TUB), 5 Internet Initiative Japan (IIJ)

  2. Introduction

  3. Contributions. . . • We provide an analysis of BGP community propagation on the Internet • We show that BGP communities (as used by operators to realize traffic management) can be used as attack vector • We verify this via experiments in the lab as well as in the wild • We provide some hints on the secure usage of BGP communities 1

  4. BGP Community usage is increasing 70k ● # Unique ASes in Communities 7B ● # Unique Communities ● ● ● 40k 4B ● ● ● ● 20k ● 2B ● 10k 1B 5k 0.5B ● ● ● ● ● ● 3k ● 0.3B ● ● 2k # Absolute Communities 0.2B # BGP table entries 2010 2012 2014 2016 2018 Year 2

  5. BGP Community usage is increasing 70k # Unique ASes in Communities 7B ● # Unique Communities ● ● ● 40k 4B ● ● ● +296% ● ● 20k 2B ● 10k 1B 5k 0.5B 3k 0.3B 2k # Absolute Communities 0.2B # BGP table entries 2010 2012 2014 2016 2018 Year Increasing usage warrants a closer look. 2

  6. BGP (Border Gateway Protocol) 3

  7. BGP (Border Gateway Protocol) AS2 AS4 AS6 AS1 AS3 AS5 3

  8. BGP (Border Gateway Protocol) AS2 AS4 AS6 p AS1 p AS3 AS5 Origin−AS • AS1 announces prefix p 3

  9. BGP (Border Gateway Protocol) p AS2 AS4 AS6 p AS1 p p AS3 AS5 Origin−AS • AS1 announces prefix p, upstreams pickup p 3

  10. BGP (Border Gateway Protocol) p p AS2 AS4 AS6 p p AS1 p p p AS3 p AS5 AS−Paths for p in AS6 AS6, AS4, AS2, AS1 Origin−AS AS6, AS5, AS3, AS1 • AS1 announces prefix p, upstreams pickup p • AS6 receives first anouncements for p 3

  11. BGP (Border Gateway Protocol) p p AS2 AS4 AS6 p p AS1 p p p AS3 p AS5 AS−Paths for p in AS6 AS6, AS4, AS2, AS1 p AS6, AS4, AS5, AS3, AS1 Origin−AS AS6, AS5, AS3, AS1 AS6, AS5, AS4, AS2, AS1 For simplicity assuming AS2−AS5 are transit providers • AS1 announces prefix p, upstreams pickup p • AS6 receives first anouncements for p • eventually AS6 sees multiple available paths for p 3

  12. BGP (Border Gateway Protocol) p p AS2 AS4 AS6 p p AS1 p p p AS3 AS5 p AS−Paths for p in AS6 AS6, AS4, AS2, AS1 p AS6, AS4, AS5, AS3, AS1 Origin−AS AS6, AS5, AS3, AS1 AS6, AS5, AS4, AS2, AS1 For simplicity assuming AS2−AS5 are transit providers BGP • BGP communicates reachability information • Announcement messages also carry various attributes • One of these attributes are BGP-Communities 4

  13. BGP Communities • RFC 1997: Optional Attribute in 0x00000000011110110000000111001000 BGP message (32 bit) 32 bit • By convention written ASN:VALUE 0x1111011 0x111001000 • ASN can be both sender or intended ’recipient’ 16 bit 16 bit • Every network decides the semantics behind the 123 456 : values 16 bit AS−Number community−value • New standard: Large Communities (96 bit), not yet widely deployed 5

  14. BGP Communities: Usage Informational Communities Action Communities (Passive Semantics) (Active Semantics) • Location tagging • Remote triggered blackholing • RTT tagging • Path prepending • Local pref/MED • Selective announcements Used by operators to realize policies. Without documentation, you can not tell if a community is active or passive! 6

  15. BGP Communities As Attack Vector? Given the increasing popularity of BGP communities and the ability to trigger actions as well as relay information , one question arises: To which extend can BGP communities be leveraged for attacks? 7

  16. Propagation behavior • RFC 1997: Communities as a transitive optional attribute • RFC 7454: Scrub own, forward foreign communities • 14% of transit providers propagate received communities (2.2k of 15.5k) • Ratio seems small, but AS graph is highly connected Still many people do not expect communities to propagate that widely. 8

  17. Potential (for) misuse • Propagated communities might trigger actions multiple AS-hops away • No way of knowing if intended or not, e.g., for traffic management • But are there also unintended consequences? Our assessment is that there is a high risk for attacks! 9

  18. Observations

  19. BGP Dataset BGP updates and table dumps of April 2018 from publicly available BGP Collector Projects: RIPE RIS, Routeviews, Isolario, PCH. BGP messages 38.98 bn IPv4 prefixes 967,499 IPv6 prefixes 84,953 Collectors 194 AS peers 2,133 Communities 63,797 More than 75% of all BGP announcements have at least one BGP community set, 5,659 ASes are using communities. 10

  20. BGP Communities propagation 11

  21. BGP Communities propagation AS1 AS2 AS3 AS4 11

  22. BGP Communities propagation AS1 AS2 AS3 AS4 p p p • AS1 announces prefix p 11

  23. BGP Communities propagation AS1 AS2 AS3 AS4 p p p AS4 AS−Path: AS4, AS3, AS2, AS1 • AS1 announces prefix p, AS4 receives announcement 11

  24. BGP Communities propagation AS1 AS2 AS3 AS4 p p p 2:303 AS2 adds community AS4 2:303 informational community of AS2 AS−Path: AS4, AS3, AS2, AS1 • AS1 announces prefix p, AS4 receives announcement • Informational community 2:303 is added by AS2 11

  25. BGP Communities propagation AS1 AS2 AS3 AS4 p p p 2:303 2:303 AS2 adds communities AS3 forwards communities AS4 2:303 informational community of AS2 AS−Path: AS4, AS3, AS2, AS1 Communities: 2:203 • AS1 announces prefix p, AS4 receives announcement • Informational community 2:303 is added by AS2 11

  26. BGP Communities propagation AS1 AS2 AS3 AS4 p p p 2:303 2:303 3:123 AS2 adds communities AS3 forwards communities AS4 2:303 informational community of AS2 AS−Path: AS4, AS3, AS2, AS1 3:123 action community towards AS3 Communities: 2:203 • AS1 announces prefix p, AS4 receives announcement • Informational community 2:303 is added by AS2 • AS2 also adds action community 3:123 for AS3 11

  27. BGP Communities propagation AS1 AS2 AS3 AS4 p p p 2:303 2:303 3:123 3:123 AS2 adds communities AS3 forwards communities AS4 2:303 informational community of AS2 AS−Path: AS4, AS3, AS2, AS1 3:123 action community towards AS3 Communities: 2:203, 3:123 • AS1 announces prefix p, AS4 receives announcement • Informational community 2:303 is added by AS2 • AS2 also adds action community 3:123 for AS3 • Both communities are forwarded by AS3 to AS4 11

  28. BGP Communities propagation AS1 AS2 AS3 AS4 p p p 2:303 2:303 3:123 3:123 AS4 AS−Path: AS4, AS3, AS2, AS1 Communities: 2:203, 3:123 12

  29. BGP Communities propagation AS1 AS2 AS3 AS4 p p p 2:303 2:303 3:123 3:123 AS4 AS−Path: AS4, AS3, AS2, AS1 Communities: 2:203, 3:123 • We can only infer which AS added a specific community 12

  30. BGP Communities propagation AS1 AS2 AS3 AS4 p p p 2:303 2:303 3:123 3:123 AS4 AS−Path: AS4, AS3, AS2, AS1 Communities: 2:203, 3:123 • We can only infer which AS added a specific community • We assume that a community n:value was added by AS n 12

  31. BGP Communities propagation AS1 AS2 AS3 AS4 p p p 2:303 2:303 3:123 3:123 inferred travel−distance is a lower bound! AS4 2:303 traversed at least two AS−links AS−Path: AS4, AS3, AS2, AS1 3:123 traversed at least one AS−link Communities: 2:203, 3:123 • We can only infer which AS added a specific community • We assume that a community n:value was added by AS n • This gives a lower bound for the ‘travel distance’ • In above example we calculate AS-hop-count 1 for 3:123 12

  32. BGP Community Propagation Observations Fraction of communities (ECDF) 1.0 ● ● ● ● ● ● 0.8 ● 0.6 ● 0.4 ● 0.2 ● ● 0.0 ● 0 2 4 6 8 10 AS hop count • 10% of communities have a AS hop count of more than six • More than 50% of communities traverse more than four ASes • Longest community propagation observed: 11 AS hops 13

  33. BGP Community Propagation Observations Fraction of communities (ECDF) 1.0 0.8 0.6 0.4 0.2 0.0 0 2 4 6 8 10 AS hop count • 10% of communities have a AS hop count of more than six • More than 50% of communities traverse more than four ASes • Longest community propagation observed: 11 AS hops 13

  34. BGP Community Propagation Observations Fraction of communities (ECDF) 1.0 0.8 0.6 0.4 0.2 0.0 0 2 4 6 8 10 AS hop count • 10% of communities have a AS hop count of more than six • More than 50% of communities traverse more than four ASes • Longest community propagation observed: 11 AS hops 13

  35. BGP Community Propagation Behavior AS3 AS2 AS1 AS4 14

  36. BGP Community Propagation Behavior AS3 p AS2 AS1 p p AS4 • AS1 announces prefix p 14

  37. BGP Community Propagation Behavior AS3 p AS2 AS1 3:123 p 3:123 p 3:123 AS4 • AS1 announces prefix p, tagged with 3:123 14

  38. BGP Community Propagation Behavior AS3 p AS2 AS1 3:123 p 3:123 p 3:123 AS4 • AS1 announces prefix p, tagged with 3:123 • Community is intended for signaling towards AS3 14

Recommend


More recommend