What is Border Gateway Protocol (BGP)?
Border Gateway Protocol is one of those foundational, core infrastructure protocols used by Internet users everyday but not top of mind for the average consumer or end-user.
Border Gateway Protocol, or BGP, is a routing protocol. BGP is the primary protocol for the Internet, and is a Layer 4 Transport protocol that sits on top of TCP [2]. It’s purpose is to keep the various systems on the Internet up to date with the information needed to send and receive data traffic correctly. So, real quick in a nutshell, when information is sent around the Internet, that info is broken up into chunks of data called ‘packets’.
Packets sent on the Internet contain source and destination addresses, much like paper mail sent in envelopes. But packets do not go directly from a user’s computer to their destination. Many intermediate systems may be involved in the transmission, and because there are many paths from one point to another, not all packets follow the same path between source and destination.[3]
So in order to reach their intended destination, these packets will pass through intermediate systems, going from one point to another point until they arrive at their final intended destination point. These “in-between” systems all need to know where to forward the packet if it’s not addressed to them directly.
BGP is a standardized exterior gateway protocol that was designed to exchange routing and reachability information among autonomous systems (AS) on the Internet. We’re going to break it down more, but basically, BGP picks the most efficient routes for delivering Internet traffic. BGP typically uses TCP port 179 to communicate with other routers.
BGP has significant importance to the Internet. It is the “Big Kahuna”, the cornerstone, the bedrock of the Internet.
BGP is an exterior gateway protocol as opposed to an interior gateway protocol.
BGP is classified as a path-vector routing protocol, and it makes routing decisions based on paths, network policies, or rule-sets configured by a network administrator.
BGP used for routing within an autonomous system is called Interior Border Gateway Protocol, Internal BGP (iBGP). In contrast, the Internet application of the protocol is called Exterior Border Gateway Protocol, External BGP (eBGP).
via Wikipedia
I also came across this analogy on Cloudfare further breaking down the differences between exterior (or external) BGP and the interior (or internal) BGP:
External BGP is like international shipping; there are certain standards and guidelines that need to be followed when shipping a piece of mail internationally. Once that piece of mail reaches its destination country, it has to go through the destination country’s local mail service to reach its final destination. Each country has its own internal mail service that doesn’t necessarily follow the same guidelines as those of other countries. Similarly, each autonomous system can have its own internal routing protocol for routing data within its own network.[5]
So BGP is basically the only game in town and universally used by all the big ISPs. So, yeah…it’s kind of a big deal.
“Ok, I think I get it…but why is that such a big deal?”
Because the Internet changes continuously, as systems fail or are replaced or new systems are added, routing tables must be updated constantly. BGP is the protocol that serves this purpose for the global Internet. When BGP fails, portions of the Internet may become unusable for a period of time ranging from minutes to hours. [3]
That wouldn’t be very conducive for either business or pleasure now would it??
A major function of BGP is to spread routing information across the Internet. Routers communicate with each other about which IP address prefixes they can reach and provide data on the most efficient routes to reach addresses within those prefixed sets.
BGP is used in updating routing tables, which are essential in assuring the correct operation of networks. BGP is a dynamic routing scheme—it updates routing information based on packets that are continually exchanged between BGP routers on the Internet. Routing information received from other BGP routers (often called “BGP speakers”) is accumulated in a routing table. The routing process uses this routing information, plus local policy rules, to determine routes to various network destinations. These routes are then installed in the router’s forwarding table. The forwarding table is actually used in determining how to forward packets, although the term routing table is often used to describe this function (particularly in documentation for home networking routers). [3]
BGP is a hybrid protocol and has aspects of both distance vector and link state.
What’s the difference? Distance vector protocols send their entire built-up routing table to their directly connected, immediate neighbors, whereas link state protocols send information about their directly connected links, but they send this info to ALL routers in the network. Link state routing protocols are widely used in large networks because of their fast convergence and high reliability. [4]
BGP is based around the concept of autonomous systems (AS).
What’s an autonomous system? An autonomous system (AS), or self-controlled system, is the collection of routers, computers, and other components within a single administrative domain. ASes are the building blocks connected with BGP that help “run the Internet”. ASes are collections of IP prefixes, they have common routing policies to other ASes, they are registered by a RIR (regional Internet registry), and they are denoted by both a name and number (ASIN?). (There is a concept of Private AS which can be used when a single upstream exists.)
BGP uses OSPF (and other routing protocols) within autonomous systems but not between different autonomous systems.
Key BGP Concepts include:
- Inter-Network-Used for routing between networks (ASes), or within large networks
- Reachability-BGP defines how one AS can reach another AS, described as a path vector (AS path)
- Policy-Based-BGP makes it possible for an AS to apply policies (e.g. multi-homing, failover, commercial terms)
- Decentralized-Each AS self-governs their own policy decisions, using BGP to coordinate and share routes
Security Risks, Threats, and Potential Attacks on BGP
Because of it’s role as a critical piece of Internet infrastructure (remember BGP helps transmit data to it’s intended destinations!), securing BGP against attacks is crucial.
Most of the risk to BGP comes from accidental failures, but there is also a significant risk that attackers could disable parts or all of network, disrupting communications, commerce, and possibly putting lives and property in danger. [3]
BGP was designed to help make the Interent “work” better and as with many early areas of the Internet, security was not at the forefront in terms of must-have implementations.
BGP was designed to make the Internet work, and it certainly does that. But BGP was not designed with security in mind. More secure routing solutions for the Internet as a whole (such as BGPsec) are being developed, but there is no adoption of them yet. For the time being, BGP is inherently vulnerable and will remain so.[5]
NIST notes:
In particular, BGP does not have a built-in authentication mechanism to ensure that a message is
really from the AS that is shown as the source in messages. As a result, BGP retains a number of
vulnerabilities, despite extensions designed to shore up its security. Fortunately, many of the methods developed over the years to improve BGP’s dependability also contribute to security against outside attackers. For example, route flap damping and ingress/egress filtering policies have helped to make BGP both more stable and more secure. In addition, the more precise addressing allowed by classless interdomain routing (CIDR) makes it possible to refine the handling of prefixes in BGP, providing a further level of protection from accidental or malicious changes to routing tables.[3]
Recall from earlier that BGP is a Layer 4 Transport protocol that runs on TCP/IP. As such, any TCP/IP attack can be applied to BGP as well.
BGP is vulnerable to generic attacks that target networked devices and protocols, including denial of service, unauthorized access, eavesdropping, packet manipulation, session hijacking, and other attacks.
Denial of service occurs when a router is flooded with more packets than it can handle.
Unauthorized access can occur when default passwords are not changed, or passwords are guessed.
Eavesdropping of packets may occur anywhere on the path between routers (BGP messages are NOT encrypted), or BGP may be exploited to allow eavesdropping on application data packets.
Packet manipulation methods include inserting false IP addresses to gain access or inject false data into routing tables, or rerouting packets for purposes of blackholing, eavesdropping, or traffic analysis.
Session hijacking occurs when an intruder uses falsified packets to take over or continue an authorized session.
What is BGP Hijacking? BGP hijacking is “when attackers maliciously reroute Internet traffic. Attackers accomplish this by falsely announcing ownership of groups of IP addresses, called IP prefixes, that they do not actually own, control, or route to.”[5] Sometimes BGP hijacking may be accidental, but other times there are sinister motives:
In April of 2018, attackers deliberately created bad BGP routes to redirect traffic that was meant for Amazon’s DNS service. The attackers were able to steal over $100,000 worth of cryptocurrency by redirecting this traffic to themselves.[5]
Potential attacks on BGP specifically can be extensions or specializations of those just previously mentioned, including Peer Spoofing and TCP Resets, TCP Resets Using ICMP, Session Hijacking, Route Flapping, Route Deaggregation, Malicious Route Injection, Unallocated Route Injection, Denial of Service via Resource Exhaustion, and Link Cutting Attacks.
What is Peer Spoofing? Spoofing refers to transmitting packets that are modified to make them appear as if they originate from somewhere other than their true source.
A unique variety of peer spoofing, called a reset attack, involves inserting TCP RESET messages into an ongoing session between two BGP peers. By monitoring this peer communication, an attacker may gain enough information to send a forged reset message to one of the routers.
What is Route Flapping? “Route flapping refers to repetitive changes to the BGP routing table, often several times a minute.”[3] Route flapping can happen when a router alternately advertises a destination network via one route and then another in quick succession. Route flapping can be controlled by two ways, route dampening, and route flapping can also be contained to a smaller area of the network if route aggregation is used.[7]
What is Route Deaggregation? “Route deaggregation occurs when more specific routes (i.e., longer prefix) route are advertised by BGP peers.”[3]
What is Malicious Route Injection? A malicious party could begin sending out updates with incorrect routing information.
For example, NIST’s address space is 129.6.0.0/16. Suppose that NIST announces 129.6.0.0/16 through BGP. An attacker who announces a more specific route, such as a /24 address in NIST’s IP address space, would be able to divert packets that should be sent to NIST. This would occur because other routers would view the /24 as a more direct route to some of the addresses within NIST, so packets would be routed to the attacker’s machine, which could observe and record the packets’ data and address information. NIST would have no control over the routes announced by the attacker, other than contacting the attacker’s service provider to request a correction, and it would be difficult to prove whether the mis-routing was malicious or accidental.[3]
What is Unallocated Route Injection? “A particular variety of malicious route injection involves the transmission of routes to unallocated prefixes. These prefixes specify sets of IP addresses that have not been assigned yet, i.e., no one should be using these addresses, so no traffic should be routed to them. Therefore, any route information for these prefixes is clearly faulty or malicious, and should be dropped.”[3]
What is Denial of Service via Resource Exhaustion? Like all computers, routers have a finite amount of storage and processing cycles available, which can be exhausted through attack.
What is a Link Cutting Attack? An inherent vulnerability in routing protocols is their potential for manipulation by cutting links in the network.
Best Practices to Help Protect BGP (Best practices intended to be implementable on nearly all currently available BGP routers.)
- Establish and use access control lists. A feature available on nearly all routers.
- Use BGP graceful restart, when available.
- Use BGP peer authentication.
- Use prefix limits to avoid filling router tables.
- Only allow peers to connect to port 179.
- Configure BGP to allow announcing only designated netblocks. This option will prevent the router from inadvertently providing transit to networks not listed by the autonomous system (AS).
- Filter all bogon prefixes.
- Where feasible, routers should do ingress filtering on peers.
- Do not allow over-specific prefixes.
- Turn off fast external failover to avoid major route changes due to transient failures of peers to send keepalives.
Sources:
[1] https://en.wikipedia.org/wiki/Border_Gateway_Protocol
[3] https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-54.pdf
[4] https://www.pluralsight.com/blog/it-ops/dynamic-routing-protocol
[5] https://www.cloudflare.com/learning/security/glossary/what-is-bgp/
[6] https://www.cloudflare.com/learning/security/glossary/bgp-hijacking/
[7] https://en.wikipedia.org/wiki/Route_flapping
[Extra] Introduction to Internet Architecture–http://psulibrary.palawan.edu.ph/wtbooks/resources/pdf/9781283508360.pdf
[Extra] Peering–https://wikimili.com/en/Peering
Video source: via youtube