Network Security Part II: Attacks Backbone Attacks.

Network SecurityNetwork SecurityPart II: AttacksPart II: Attacks

Backbone Backbone AttacksAttacks

SECURITY INNOVATION ©20032

TopicsTopics• IntroductionIntroduction• External Gateway Protocol : BGPExternal Gateway Protocol : BGP• Internal Gateway Protocols : OSPF and Internal Gateway Protocols : OSPF and

ISISISIS• Netflow based DDoS detectionNetflow based DDoS detection• MPLS and IPv6MPLS and IPv6• ConclusionConclusion


What « runs » the What « runs » the Internet ?Internet ?

• Key protocolsKey protocols– BGPv4 (Border Gateway Protocol)BGPv4 (Border Gateway Protocol)– DNS (Domain Name System)DNS (Domain Name System)– A mix of BGP and DNS in all new/recent A mix of BGP and DNS in all new/recent

technologiestechnologies• DNS to store the information in new/extended type of DNS to store the information in new/extended type of

recordsrecords• BGP to distribute the information across the networkBGP to distribute the information across the network

• A few large vendorsA few large vendors– Limited range of ASIC powered devicesLimited range of ASIC powered devices– Some well known software release Some well known software release

versions/trainsversions/trains (ie S-train)(ie S-train)


What are the risks, if any What are the risks, if any ? (1)? (1)

• The Internet is considered a critical The Internet is considered a critical infrastructureinfrastructure– But the trust model hasn’t really changed But the trust model hasn’t really changed

since the 70ssince the 70s– Can it survive a “chapter 11” from a really Can it survive a “chapter 11” from a really

large provider ?large provider ?– ““Slashdot effect” (major links and websites -- Slashdot effect” (major links and websites --

even those with distributed content). Could even those with distributed content). Could larger deployment of multicast help ?larger deployment of multicast help ?

– Best Current Practices make the network more Best Current Practices make the network more resistant, but are not followed or deployedresistant, but are not followed or deployed


What are the risks, if any What are the risks, if any ? (2)? (2)

• Current, new and future type of attacksCurrent, new and future type of attacks– Misconfiguration is the most common “attack”Misconfiguration is the most common “attack”– (D)DoS with spoofed source addresses(D)DoS with spoofed source addresses

• Kill your network / (IRC) serversKill your network / (IRC) servers• Use of routers as reflectors/amplifiersUse of routers as reflectors/amplifiers• No reliable tracebackNo reliable traceback

– Short-lived announcements used as source of SPAM/attacksShort-lived announcements used as source of SPAM/attacks– Advanced routing protocols attacksAdvanced routing protocols attacks

• Make your (internal/external) routing protocol unstableMake your (internal/external) routing protocol unstable• Inject new routes/prefixes : MiTM/traffic rerouting attacksInject new routes/prefixes : MiTM/traffic rerouting attacks

– Rootkits and Loadable Kernel ModulesRootkits and Loadable Kernel Modules• Take control of a device capable of generation thousands of Take control of a device capable of generation thousands of

PPS (packets per second)PPS (packets per second)• Control all the routing protocol trafficControl all the routing protocol traffic


BGP : Protocol BGP : Protocol descriptiondescription

• BGP (Border Gateway Protocol)BGP (Border Gateway Protocol)– Current version : 4Current version : 4– Listens on port 179/tcpListens on port 179/tcp– Optional authentication :Optional authentication :

• MD5 : adds an option to TCP (digest based on MD5 : adds an option to TCP (digest based on pseudo-header+header+data+shared password)pseudo-header+header+data+shared password)

– Point-to-point over directly connected interfaces or Point-to-point over directly connected interfaces or multi-hop between (TTL > 1) non adjacent routersmulti-hop between (TTL > 1) non adjacent routers

– Routing information is exchanged in BGP Update Routing information is exchanged in BGP Update message :message :


BGP : Protocol BGP : Protocol descriptiondescriptionBGP (Border Gateway Protocol)BGP (Border Gateway Protocol)

{in,e}gress filters

AS YAS YAS ZAS Z

AS XAS X

eBGP sessions

iBGP sessions

Route reflectors

Core/Access Routers


BGP : RisksBGP : Risks• Where are the risks ?Where are the risks ?

– Internet Exchanges (“peering points”)Internet Exchanges (“peering points”)• All providers are usually connected to the same shared All providers are usually connected to the same shared

infrastructure (a switch for example)infrastructure (a switch for example)• The filtering policy is usually more “relax” for peeringsThe filtering policy is usually more “relax” for peerings• Some major ones, no real (geo)diversity anymoreSome major ones, no real (geo)diversity anymore

– Your direct {up,down}stream(s)Your direct {up,down}stream(s)– Route reflectorsRoute reflectors– Multi-hop configurations (Man-in-the-middle attack)Multi-hop configurations (Man-in-the-middle attack)– Less likely : some backbone router “out there” in the Less likely : some backbone router “out there” in the

Internet or some hops awayInternet or some hops away• What is never “verified”What is never “verified”

– Origin-AS/prefix relation, “true” AS_path, source Origin-AS/prefix relation, “true” AS_path, source authenticity, etcauthenticity, etc


BGP : Attacks IBGP : Attacks I

• Information gatheringInformation gathering– Find the eBGP peers :Find the eBGP peers :

• ““Forward” and “reverse” traceroute / ICMP Record Forward” and “reverse” traceroute / ICMP Record RouteRoute

• Public route-servers and looking glassesPublic route-servers and looking glasses• Directly adjacent IPsDirectly adjacent IPs• IPs often used for loopback interfaces (.1+, .254-)IPs often used for loopback interfaces (.1+, .254-)• SNMPSNMP

– Session parameters may be required :Session parameters may be required :• Source/destination ports (ie. which router initiated Source/destination ports (ie. which router initiated

the connection)the connection)• Right TTLRight TTL


BGP : Attacks IIBGP : Attacks II• Attacks against routers and BGP sessionsAttacks against routers and BGP sessions

– SYNflood 179/tcpSYNflood 179/tcp– Drop the BGP session by RSTing the TCP connection or injecting Drop the BGP session by RSTing the TCP connection or injecting

bogus OPEN/KEEPALIVE/etc messagesbogus OPEN/KEEPALIVE/etc messages• Spoofed packet parameters (IPs, ports, SeqNum, TTL) may Spoofed packet parameters (IPs, ports, SeqNum, TTL) may

have to fithave to fit– BGP route injection tool : (what is the) challenge ?BGP route injection tool : (what is the) challenge ?

• Inject the UPDATEInject the UPDATE– MiTM (or ARP spoofing on IX switches)MiTM (or ARP spoofing on IX switches)– Synchronize with/hijack the TCP session (MiTM or spoofed Synchronize with/hijack the TCP session (MiTM or spoofed

from remote)from remote)– Have a previous knowledge of the current configurations Have a previous knowledge of the current configurations

of the peers (a MiTM type of attack is more likely to of the peers (a MiTM type of attack is more likely to happen)happen)

• BGP route injection tools exist (in private circles)BGP route injection tools exist (in private circles)– Security bug in the BGP implementation / modified BGPdSecurity bug in the BGP implementation / modified BGPd


BGP : Attacks IIIBGP : Attacks III

• Attacks against the networkAttacks against the network– Attacks playing with BGP parameters (local-pref, Attacks playing with BGP parameters (local-pref,

MEDs, communities) ?MEDs, communities) ?– Make your BGP sessions flap : make you or other Make your BGP sessions flap : make you or other

destinations unreachabledestinations unreachable– Announce “more specific routes” of large blocks Announce “more specific routes” of large blocks

to increase the number of prefixes in the global to increase the number of prefixes in the global routing table and eat up memory on all routersrouting table and eat up memory on all routers

– Announce or “remove” some routes/prefixes or Announce or “remove” some routes/prefixes or change their attributeschange their attributes

– Direct all the traffic to a blackhole, direct it to a Direct all the traffic to a blackhole, direct it to a specific network (DDoS), create loops, etc.specific network (DDoS), create loops, etc.


OSPF (Open Shortest Path OSPF (Open Shortest Path First)First)

Backbone area (Area 0)Backbone area (Area 0)

Network running Network running another IGPanother IGP Area 1Area 1

Area 2Area 2

Area Border Router Area Border Router (ABR)(ABR)

Autonomous Autonomous System Border System Border Router (ASBR)Router (ASBR)

Designated Router Designated Router (DR)(DR)

Backup Designated Backup Designated Router (DR)Router (DR)


OSPF : Protocol OSPF : Protocol descriptiondescription

• OSPF (Open Shortest Path First)OSPF (Open Shortest Path First)– Protocol type 89Protocol type 89– Multicast traffic : “easy” to inject LSAs (Link Multicast traffic : “easy” to inject LSAs (Link

State Advertisement)State Advertisement)– Active adjacencies between all the routers Active adjacencies between all the routers

and the (B)DRs (DR/BDR status is based on and the (B)DRs (DR/BDR status is based on Router ID and priority)Router ID and priority)

– SPF (Shortest Path First) recalculation takes SPF (Shortest Path First) recalculation takes time and CPUtime and CPU


OSPF : AttacksOSPF : Attacks• Attacks against OSPFAttacks against OSPF

– Since the (B)DRs don’t preempt, it’s needed to “kill” the Since the (B)DRs don’t preempt, it’s needed to “kill” the legitimate ones to take the functionality overlegitimate ones to take the functionality over

– A “local” area LSA may be exported to another area (over an A “local” area LSA may be exported to another area (over an ABR) or even to another AS (over an ASBR)ABR) or even to another AS (over an ASBR)• ABRs and ASBRs are key routers together with (B)DRsABRs and ASBRs are key routers together with (B)DRs

– OSPF LSAs (even “MD5ed”) can be replayed (sequence OSPF LSAs (even “MD5ed”) can be replayed (sequence number)number)• inject/withdraw routesinject/withdraw routes• break adjacencies (higher sequence number/hello break adjacencies (higher sequence number/hello

message)message)• MAXAGE LSAs can be send to purge the related OSPF DBMAXAGE LSAs can be send to purge the related OSPF DB

– More or less impossible to protect the network from an More or less impossible to protect the network from an internal attack/threat : routers can “lie” (about their role or internal attack/threat : routers can “lie” (about their role or modify the information they announce)modify the information they announce)


IS-IS (Intermediate System IS-IS (Intermediate System to Intermediate System)to Intermediate System)

Area 1Area 1

Area 3Area 3

Area 2Area 2

L1 RouterL1 Router

L1/L2 L1/L2 RouterRouter

L2 RouterL2 RouterL2 RouterL2 Router

L1 RouterL1 RouterL1/L2 L1/L2 RouterRouter


ISIS : Protocol ISIS : Protocol description Idescription I

• IS-IS (Intermediate System to Intermediate IS-IS (Intermediate System to Intermediate System)System)– Comes from the OSI world (routed OSI Comes from the OSI world (routed OSI

protocols)protocols)– Doesn’t run on top of IP but directly over the Doesn’t run on top of IP but directly over the

data linkdata link– Encodes the packets in TLV (Type-Length-Encodes the packets in TLV (Type-Length-

Value) formatValue) format– Uses hierarchy levels/addressing (L1/L2) and Uses hierarchy levels/addressing (L1/L2) and

floodingflooding• L1 routing means routing in the same areaL1 routing means routing in the same area• L2 routing means between areasL2 routing means between areas


ISIS : Protocol ISIS : Protocol Description IIDescription II

• IS-IS (Intermediate System to Intermediate IS-IS (Intermediate System to Intermediate System)System)– Floods LSPs (Link State PDUs)Floods LSPs (Link State PDUs)

• Nothing do to with MPLS’ LSP (Label Switch Path)Nothing do to with MPLS’ LSP (Label Switch Path)

– Contrary to OSPF DR/BDRs a new IS-IS DIS Contrary to OSPF DR/BDRs a new IS-IS DIS (Designated IS) with higher priority will take (Designated IS) with higher priority will take precedence (preempt) and all the routers precedence (preempt) and all the routers maintain adjacencies with all the routers in the maintain adjacencies with all the routers in the area (separate L1 and L2 adjacencies on same area (separate L1 and L2 adjacencies on same LAN)LAN)

– A lot of Service Providers are moving from OSPF to A lot of Service Providers are moving from OSPF to ISIS (usually in relation with MPLS/Traffic ISIS (usually in relation with MPLS/Traffic Engineering deployment)Engineering deployment)


ISIS : Attacks and ISIS : Attacks and securitysecurity

• AttacksAttacks– Similar to OSPF attacks but more complex to Similar to OSPF attacks but more complex to

inject data because of non-IP protocol inject data because of non-IP protocol – Possible to use the “Overload Bit” to have Possible to use the “Overload Bit” to have

transit traffic not sent over a “overloaded” transit traffic not sent over a “overloaded” router and thus try to redirect itrouter and thus try to redirect it


Worm Detection and Worm Detection and ProtectionProtection

• How to detect a new wormHow to detect a new worm– New/unusual number of HTTP/SMTP flows and New/unusual number of HTTP/SMTP flows and

server logsserver logs

• CenterTrackCenterTrack– Secondary network used to carry “interesting” Secondary network used to carry “interesting”

packets detected by routers for analysispackets detected by routers for analysis

• LimitationsLimitations– CPU and memory needs on routersCPU and memory needs on routers– Fundamental changes (infrastructure, Fundamental changes (infrastructure,

deployment, operations, etc)deployment, operations, etc)– IP address spoofing and traceback are the key IP address spoofing and traceback are the key

issuesissues


DDoS/Worm ResearchDDoS/Worm Research

• Worse to comeWorse to come– A lot of research has been done but nothing has A lot of research has been done but nothing has

been published/disclosed : “risks are too high”been published/disclosed : “risks are too high”– Most of the worms we’ve seen were quite gentleMost of the worms we’ve seen were quite gentle– Will the next worm affect IIS/Outlook users again ?Will the next worm affect IIS/Outlook users again ?– What are the effects on the Internet stability ?What are the effects on the Internet stability ?

• What are the trends ?What are the trends ?– Routers are used as sourceRouters are used as source– Attacks are more complex and agents are Attacks are more complex and agents are

becoming more intelligentbecoming more intelligent– Temporary “use” of non allocated blocksTemporary “use” of non allocated blocks


IPv6IPv6

• IPv6IPv6– Basically no new risks/big changesBasically no new risks/big changes– ““Native” IPsec supportNative” IPsec support– Higher risks during the transition phase from Higher risks during the transition phase from

IPv4 to IPv6 ?IPv4 to IPv6 ?– Protocols used to interconnect IPv4 to IPv4 Protocols used to interconnect IPv4 to IPv4

islands over IPv6 (and vice versa)islands over IPv6 (and vice versa)• GREGRE• MPLSMPLS

– MAC address can be part of the IP addressMAC address can be part of the IP address


ReferencesReferences• PublicationsPublications

– Inferring Internet DoS ActivityInferring Internet DoS Activity (Caida) (Caida)– A Snapshot of Global Worm Activity (Arbor)A Snapshot of Global Worm Activity (Arbor)– Shining Light on Dark Internet Address Shining Light on Dark Internet Address

Space (Arbor)Space (Arbor)– How to 0wn the Internet in Your Spare Time How to 0wn the Internet in Your Spare Time

(Staniford/Paxson)(Staniford/Paxson)– Global Routing Instabilities during Code Red Global Routing Instabilities during Code Red

II and Nimda Worm Propagation (Renesys)II and Nimda Worm Propagation (Renesys)– Trends in Denial of Service Attack Trends in Denial of Service Attack

Technology (CERT)Technology (CERT)

Network Security Part II: Attacks Backbone Attacks.

Documents

routing protocol trafficbgp

bgp sessionssynflood

bgpinternal gateway

systema mix of bgp

bgp update message

source authenticity

network securitypart

spoofed source addresseskill