Routing Security

advertisement
Network Security:
Routing security
Aapo Kalliola
T-110.5241 Network security
Aalto University, Nov-Dec 2012
Outline
1.
2.
3.
4.
5.
6.
7.
Structure of internet
Routing basics
Security issues
Attack
Solutions (?)
Censorship and avoidance
Case studies
2
Couldn’t routing be trivial?
”Explosive growth is taxing current Internet
routing mechanisms. New sites continue to join
the Internet… In some sense, the Internet is a
victim of its own success; many routing protocols
are being used in environments for which they
had not been designed.”
- Thomas Narten, ”Internet routing”, 1989
3
Routing basics
4
Internet (?)
5
Internet, late 1980s
Hosts, networks and gateways
G1
N1
G3
N2
N3
H1
G5
N4
G2
G6
N5
G4
H3
H3
6
Internet, 1990s
Hierarchical structure
National
backbone
NAP
NAP
Regional
access
providers
Local
access
providers
Cust.
IP
networks
ISP
7
Internet 2000s
Rise of hyper giants
National
backbone
Google, CDNs etc.
Global core
IXP
Regional /
Tier 2
providers
Cust.
IP
networks
IXP
ISP
IXP
ISP
88
Internet 2010s
Rise of IXPs
National
backbone
Huge traffic
Google, CDNs etc.
IXP
IXP
ISP
Cust.
IP
networks
IXP
ISP
99
What routing where?
Interior Gateway Protocols (IGP) within an Autonomous
System (AS)
Exterior Gateway Protocols (EGP) between AS
EGP can also refer to the precursor of BGP
Border Gateway Protocol (BGP) is, in practise, the only EGP in use
IGP
End
host
Customer
network
IGP /
BGP
IGP
BGP
IGP
ISP
IXP
Backbone
10
Routing in and between Autonomous
Systems (Ases)
Tens of thousands of ASes
Internally motivated by efficiency
Externally motivated by
Link costs
Transmission capacity
Load
Policy decisions
11
Interior gateway protocols
IGPs exchange routing information within an AS
Link-state protocols maintain information about the
whole network topology
Open Shortest Path First (OSPF)
Intermediate System to Intermediate System (IS-IS)
Distance-vector protocols converge over time to
common understanding of paths
RIP / RIPv2
IGRP
Hybrid protocols have features from both
E-IGRP
12
Border gateway protocol
BGP is the procol for making routing decisions
between ASes
Routing decisions are not made by automation but
rather by commercial interests
Two main types of relations:
Peering – exchanging traffic freely between peers
Transit – smaller AS buying data transit from larger AS
13
BGP
Design goals
Scalability for connecting AS on internet scale
Enabling policy decisions such as filtering route
announcements
Must work in a distributed competitive environment (vs.
early centralized internet)
Two types of BGP sessions
eBGP for routers from different ASes
• Route information exchange between ASes
iBGP for routers within AS
• Disseminating information about learned external routes
within AS
14
How routes are distributed
AS may be in three relations to another AS:
Peer
Customer
Provider
Typical model, not always so:
Routes from customers are re-distributed to customers,
peers and providers
Peer-learned routes are re-distributed to customers but
not to other peers nor to providers
Provider-learned routes are re-distributed to customers,
but not to other providers, nor to any peers
15
BGP (cont.)
Data plane in green: host to host traffic
Control plane in blue: BGP route information
Both BGP and data flows need to work in reverse for two-way communication
Reverse path doesn’t need to be the same, though
AS1
AS2
AS7
AS5
AS4
H2
AS6
H1
16
BGP leak/hijack
Another AS claims to have a better route to a certain network
Reverse direction doesn’t need to be hijacked unless the attacker
wants to do a MitM attack
AS1
AS2
AS7
AS5
AS4
H1
H2
AS6
H3
17
How an AS is created
Apply for an AS number from local Regional Internet
Registry
Get a connection to an IXP
Could also just use a normal ISP -> waste of AS numbers
Get transit or peering from another AS
-> you’re on!
18
Security issues in routing
19
Attacks on BGP – outside
Link cutting
Physical
Logical
DoS
Attacks using data plane
Clever use of data plane DDoS to cut BGP connections
20
CXPST
CXPST is an extension of previous low-rate TCP
attack work on DDoSing big routers
Ingredients:
medium botnet (250000 bots)
Internet structure recoinnassance
Good timing
Overwhelm one router at a time
Router drops its BGP connections
When the router is re-establishing BGP connections,
target the neighbours
Could theoretically take down large parts of internet
21
Attacks on BGP – inside
Attacks on control plane
Route leaks
Route hijacks
Man-in-the-Middle
• Tricky but possible
Possible to find attacker AS, though not trivial
22
How to get inside?
Set up a throw-away AS
Use false information and stolen credit cards
Establish transit/peering
No need to have many connections
Advertise malicious routes
Profit!!
(or whatever you want to do with the traffic you get)
Leave the AS untended
23
Route leaking / hijacking
Route leaking
Accidental by definition
AS_x has multiple links to other Ases
AS_x gets complete internet route announcement set from its provider
AS_x accidentally announces the set through another AS link
This wrong annoucement gets propagated
-> all traffic from affected ASes goes to AS_x
Route hijacking
Malicious by definition
AS_x announces a very good path to the target network
ASes receiving the annoucement prefer this path and route directed to
target to AS_x
-> traffic directed to attack target from affected ASes gets intercepted by
AS_x
Could be indistinguishable from each other
24
BGP Man-in-the-Middle
Traceroute & plan reply path to target
Note the ASN’s seen towards target from traceroute
& bgp table on your router
Apply as-path prepends naming each of the ASN’s
intended for reply path
Set up static routes towards the next hop of the first
AS in reply path
-> done
25
Attacks
Traffic snooping
Comprehensive traffic recording?
This might already be going on without need for BGP
attacks
Popularization of IXPs?
”A few people operate the SIX with a few Cisco switches in
a rack. Essentially every major carrier and service provider
now connects to the SIX..”
Not really indicative of any real problem with IXPs, just
that there are many different parties involved in getting a
data packet from source to destination
27
Traffic spoofing
MITM for all traffic
Can also modify, possibly without detection
Total interception
Faked replies
Censorship purposes
Dropping / reseting / redirecting replies
28
Other
Spamming (fly-by)
Capture a network that hasn’t been used for malicious activity
Send spam from the network
Network gets blocked
Repeat
DoS
Capture the target network
Drop the incoming traffic
Target impersonation
Capture the target network
Reply to incoming traffic with valid responses of your own
Attacking the routers themselves
Default passwords
29
How to react?
Analysis of what is happening
Where the attack originates
Malicious vs. Accidental
Malicious attacks difficult to stop
• Must get several ASes to cooperate in filtering out the
offending route announcements
Accidents fixed by informing the origin of the erronous
traffic -> fixes in minutes, usually
After origin is fixed the global routing state corrects
itself
Complete correction might take a long time: hours/days
30
Solutions (?)
31
Sanity checks
Maximum number of routes accepted from a
neighbouring AS
Helps against accidental ”all-of-internet here” route leaks
Not accepting too specific routes
/22 probably ok, /32 suspicious
Cutting BGP sessions that clearly advertise erronous
routes
Might cause even worse problems
32
Origin authentication
An AS gets a crypto certificate from its RIR
containing its network and AS number
It’s possibly to verify AS identity using Resource
Public Key Infrastructure (RPKI)
Additional overhead
Many routers don’t support RPKI
33
Secure Origin BGP
Certificate-based system, backed by Cisco
Options for transporting certificates by various
means
Even on data plane
Tweaking routes by accepting some and denying
some possible
34
Secure BGP
Certificate-based system, pretty much similar to
soBGP
Requires PKI
35
Data-plane verification
Requires functionality on both control and data
plane
In addition to doing normal BGP operation check for
data plane reachability problems
Works for blackholing, accidents and stale routes
Does not require PKI infrastructure
Overhead!
36
Censorship and avoidance
37
Great firewall of China
Does
snooping
filtering
DNS injection
Also tries to prevent accessing foreign proxies for
free internet access
Unwittingly also affects also traffic transiting
through China
For instance German subnets have received censored DNS
replies
Hopefully fixed since published fall 2012
38
Decoy Routing
Setup routers with special functionality randomly
around the internet
Censored end host apparently try to access allowed
content
A special router is on path to allowed content
The special router recognizes the end host are
routes request to censored content
Censored content origin is faked to look like allowed
content origin
Censored end host receives the censored content
39
Problems in previous proposal
The special routers need to be on the traffic path
Number of routers required already quite high ..
.. especially if the censor has lots of connections
If the censor is capable of modifying routing
Interconnectivity way too high to deploy enough routers
Nation-wide censorship usually is routing-capable
40
More case studies
41
AS 7007 incident, 1997
..where the BGP worries started
AS 7007 started leaking a large part of complete
route table
-> Much of traffic in internet blackholed
Took priority in BGP due to chopping announced
networks to /24 blocks
BGP cleanup took quite a while
42
ICANN DNS root server L, 2008
ICANN moved root server L to a new IP address
Regardless, the old IP kept responding to DNS
requests
43
Pakistan blocking Youtube, 2008
Country-internal blocking by leaked to the whole
internet
44
China Telecom 2010
China “leaked”routes and captures a significant
portion of internet traffic for some minutes
45
Australia outage, 2012
30 mins
Filtering failure leading to route leakage leading to
BGP session kill due to maximum prefix limiting
46
Summary
Logical structure of internet is a function of
commercial interests and geography
Internet routing is largely based on trust and correct
operation
Don’t blindly trust internet routing
Good practises help!
http://tools.ietf.org/html/draft-jdurand-bgp-security-00
47
Further reading
BGP Man-in-the-Middle
http://www.defcon.org/images/defcon-16/dc16presentations/defcon-16-pilosov-kapela.pdf
China's 18-Minute Mystery
http://www.renesys.com/blog/2010/11/chinas-18-minutemystery.shtml
How the Internet in Australia went down under
http://www.bgpmon.net/how-the-internet-in-australia-wentdown-under/
How Secure are Secure Interdomain Routing Protocols?
http://research.microsoft.com/pubs/120428/bgpattack-full.pdf
48
Download