A Study in TCP/BGP Session Security

ByIlias Pallikarakis

Motivation

Inadequate security in BGP Defcon 16 Presentation by Pilosov and

Kapela Is it possible to replicate the attacks using a

MitM approach ?

3

BGP Security

Mechanisms currently used : TCP-MD5 Generalized TTL Security Mechanism (GTSM)

Mechanisms to be implemented : TCP-AO RPKI

Defcon 16 Presentation Overview

They successfully advertised fake prefixes.

Made the attack hard to detect by making the router advertising the fake prefixes ‘undetectable’ by the traceroute tool.

Main Goals

Set a MitM attack between two routers and attempt to hijack the BGP session

Implement a script similar to the one of Defcon 16 to hide part of the network

6

Tools Used

Ettercap : MitM (ARP Poison) Network Hiding

Scapy : Network Hiding BGP Session Hijacking

7

Tools Used Ettercap :

Easy to use Good for simple script but not for complex NO user intercation

Scapy : Python library Automatically calculates length/checksum

fields Much slower

8

Testing Network

9

General Methodology

Hide Network : Exploit Traceroute’s function Increase TTL to hide network from traceroute

BGP Session Hijacking: Intercept the BGP update messages Find a specific prefix and alter it

10

BGP Hijacking Issues

Manipulate IP/TCP checksums Manipulate variable length field :

IP Length BGP Header Length BGP Update Length fields

TCP session manipulation

11

TCP Session Manipulation

What if the altered BGP Prefix has different length than the original ?

Need to adjust Sequence/Acknowledgement numbers : Keep the offset and Add/Remove it (Best) Copy previous sequence to next

Acknowledgement and vice versa (Easiest)

12

Sequence Adjusting Mechanism

Next Acknowledgement number is always the previous Sequence + original message’s length

For Sequence number there are 2 cases : The previous message was sent by the

receiver (previous ack) Previous message sent by the sender

(previous forged seq)

13

Example

14

Ettercap TTL Script

In one word Simple… :

if (ip.dst == '1.1.1.1'){ip.ttl += 3;msg("Increase TTL\n");

}

15

Ettercap Script BGP

Not possible : Human processing in Binary. Cannot manipulate variable length fields. Can replace only 2-byte length strings.

16

Scapy Methodology

Scripts are composed by : Main : Create the nfqueue and calls Process Process : mainly filters packets and calls

altering function Altering Function : Varied content, does the

packet altering

17

Scapy BGP issues

Originally Scapy could not understand multiple BGP update messages in the same TCP packet Would read only first update. Incorrect length calculation.

Unexpected session establishment : While a TCP/BGP session was working one of the

routers attempted to setup a new one.

18

BGP Issue Solutions BGP Multiple Update Messages :

Use the Header Marker to find how many messages appear.

Modified original Scapy code for BGP

Unexpected Sessions : Drop all packets where one port is 179 and the

other one is NOT the working session.

19

Cisco Issue : Description

Strange packets observed of the form :

Circumstances of appearance : Change prefix length with Incorrect Seq/Ack Change prefix to lower length with working

Script (occasionally)

20

Cisco Issue : Thoughts

Definitely related with seq/ack numbers. Test showed that when ack is larger issue

always appears. Why it appears in correct script ??

21

Cisco Issue : Thoughts

Test correct script for potential mistake Thoroughly check the TCP flags before the

strange packets. Check strange traffic message by message in

contrast to the same traffic sent by router.

22

Conclusion

Working script (implemented in two different ways !) to increase TTL. Successful traceroute veil. Renders GTSM obsolete.

Working TCP Adjusting Mechanism Could be used in all TCP communication

23

Conclusion

Successfully replaced a prefix with one of our choice with Scapy

Contributed in Scapy BGP allowing multiple Updates to be sent/received

Discovery of Cisco issue

24

Tests

Live Demonstration !

Thank You !