BGP Security (Mum presentation 2016)

MikroTik BGP Security

By:RofiqFauziMUMKualaLumpur

ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant

2

About Rofiq Fauzi

CONSULTANTCERTIFIEDTRAINER

h;p://www.mikroAk.com/consultants/asia/indonesia

• UsingMikroTik(v.2.97)since2005,asNetworkEngineeratWISP.• 2007,Network&WirelessEngineeratINDOSATCentralJavaArea• 2008,ITNetwork&TelcoProcurementatINDOSATHQ• 2012-Now,MikroTikConsultant&CerAfiedTraineratID-Networkers(PTIntegrasiDataNusantara).

• 2013-Now,NetworkManageratWISPIndomedianet,Indonesia• 2013-Now,NetworkConsulAngEngineeratConnexinLimited,Hull,UK

h;p://www.mikroAk.com/training/partners/asia/indonesia


3

About ID-Networkers IntheMostPresAgiousNetworkingCerAficaAon

EXPERTLEVELTRAINERS&CONSULTANS

OVERVIEW We are young entrepreneurs, we are onlyone training partner & consultant who hasexpert leveltrainers inthemostpresAgiousnetworking cerAficaAon, CCIE Guru , JNCIEGuru andMTCINE guru, which very limitednumber inIndonesiaevenAsia.Proventhathundred of our students pass thecerAficaAon exam every year. We are thebiggestcerAficaAonfactoryinIndonesia.

WEBSITE www.idn.id|www.trainingmikroAk.com

OUR PROJECT IN MALAYSIA

Project Langkawi ProjectWi-Fi1MalaysiainalltourismparkinLangkawiIsland;CenangBeach,PulauTuba,PulauDayangBunAng,CableCar,etc.

IntegratedWi-FinetworkwithcentralizehotspotuserinKLarea,includingapartment,university,publicarea,etc.

WiFi in KL

ID Networkers | www.trainingmikrotik.com Expert Trainer and Consultant 4

Project in Melaka Wi-FiprojectatSekolahALAM,JabatanLaut,someUniversityandHondaMelaka,etc.

About BGP


5

•  DesignedasExteriorGatewayProtocol•  InternetformedbyBGProuAng•  BGPalsohascapabilitytocarryinginformaAonaboutdiverseroutedprotocols(ipv4,ipv6,l2vpn,vpnv4)

BGP Multiprotocol Capabilities


6

Interior and Exterior Gateway Protocol


7

•  InteriorGatewayProtocol(IGP)Handle rouAngwithinanAutonomousSystem (one rouAngdomain).CanbesaidthattheIGPisarouAngthatworksonourproprietarynetwork,orallroutersarebelongtous.

•  ExteriorGatewayProtocol(EGP) Handles the rouAng between Autonomous Systems (inter-domain rouAng). Can be said that the EGP is working orrouAngbetweenournetworkswithnotournetworks.

AS1 AS2

Interior and Exterior Gateway Protocol


8

InteriorGatewayProtocol:OSPF,IS-IS,IGRP,EIGRP,RIP

ExteriorGatewayProtocol:BGP

Autonomous Systems (AS)


9

•  AS is a combinaAon of networks and routers are usually in oneownershiporcontrolthathasasimilarrouAngprotocol.

•  AS16bit,orusedecimal(0-65535)•  Range1-64511usedforInternet•  Range64512-65535usedforprivate

•  With 16-bit AS Numbers, only around 65,000 unique numbers arepossible.

•  TheintroducAonof32-bitASNsincreasesthesupplyofASNumberstofourbillion.

•  ASNumberallocaAonismanagedbyIANA

BGP between AS in the Internet


10

h;ps://www.pasternack.com/t-calculator-fspl.aspx

BGP between AS in the Internet


11

h;p://bgp.he.net/


12

Full trust between peers is one of the weaknesses of the protocol

IN BGP WE TRUST

AS100givewronginformaAontoAS200

ID Networkers | www.trainingmikrotik.com Expert Trainer and Consultant 13

AS200givetherightinformaAonbutcomingfromwrongsource

WronginformaAonwillspreadtonetwork

LEAK XX

The Internet’s Vulnerable Backbone


14

Types of BGP Attacks [workshop]


15

•  PrefixHijack•  Denialofservice•  CreaAonofrouteinstabiliAes(flapping)

Prefix Hijack


16

•  Prefixhijacking,amisbehavior inwhichamisconfiguredormalicious BGP router originates a route to an IP prefix itdoesnotown,

•  Its is becoming an increasingly serious security problem intheInternet

How Attackers Can Hijack BGP


17

How Attackers Can Hijack BGP


18

Demo in GNS3


19

Topology

Demo


20

•  InstallGNS3,ifyoudidn’tknowhowtoinstallmikroAkonGNS3,followourpreviousMUMpresentaAonslideat:[email protected]/presentaAons/ID13/rofiq.pdf

•  Createtopology(slide15)•  Configure BGP peering between all AS, don’t forget for AS 234 its using iBGP peer

(meshpeeringorrouterrefelctor)•  Create loopback interface (bridge interface) in Router1 and Router6, and put ip

1.1.1.1/32onthebothbridgeinterfaces.•  OnRouter6,inrouAngBGPnetwork,adverAsenetwork1.1.1.1/32•  Check inRouter1,wecansee in IP route,prefix1.1.1.1withaspath234,600 that’s

meanprefix1.1.1.1/32originatedfrom600•  OnRouter1,inrouAngBGPnetworkadverAsenetwork1.1.1.1/32too•  CheckinRouter1,wecanseeinIProute,prefix1.1.1.1willchangeaspathto234,100

DOS Attack


21

Ref:h;p://www.133tsec.com/2012/04/30/0day-ddos-mikroAk-server-side-ddos-a;ack/

•  One of the denial of service (DDOS), happens on mikroAk router’s winboxservicewhenthea;ackerisrequesAngconAnuouslyapartofa.dll/pluginfile

•  Itraisesrouter’sCPU100%andotheracAons.The“otheracAons”dependsontherouterosversionandthehardware.

•  For example onMikroAk Router v3.30 there was a LAN corrupAon, BGP fail,wholerouterfailure•  MikroAkRouterv2.9.6therewasaBGPfailure•  MikroAkRouterv4.13unstablewifilinks•  MikroAkRouterv5.14/5.15rarelystacking

•  Behaviour may vary most Ames, but ALL will have CPU Usage 100% . MostrouterslooseBGPaperlongAmea;ack

Demo DOS Attack


22

•  DownloadtesAngscriptfromh;p://www.133tsec.com/wp-content/uploads/2012/04/mkDl.zip

•  ExtractitinyourCfolder•  Runinyourwindowscommandprompt

C:\>mkDl.py<RouterIPAddress>DoS[Winboxplugindownloader][+]Hmmmwegonnaattackit..[+]Indexreceived![+]Requestingfileroteros.dlltilldeath:)Sendingevilpacket..pressCTRL-Ctostop–

-  WatchyourrouterCPUusage

Warning!ThiscontentandtoolareforeducaAonproposedonly, IamnotresponsibleforanythingthatmighthappentoyouoryourroutersifyouuseittoDDOSyourrouter,andorcausinganydamageorerror.

Defend BGP Attacks


23

•  AlwaysUpdateyourRouterOS• GoodBGPRouterConfiguraAon•  DetectFalseRouteAnnouncements•  RPKI

Good Router Configuration


24

UserouAngfiltertocontrolprefixexchangebetweenBGPpeeringInFilters•  Don’tacceptyourownprefixes•  Don’tacceptRFC1918(privateIPaddress)andotherreservedones(RFC5735)•  Don’tacceptdefaultroute(unlessyouneedit)•  Don’tacceptprefixeslongerthan/24•  Don’tacceptBOGONSprefixes•  LimityourMaxPrefix•  LimitAS_Path

OutFilters•  Announceonlyownedprefixes(incaseyoudonotprovidetransittootherAS’s)

CredittoWardnerMaia,ref:h;p://mdbrasil.com.br/en/downloads/1_Maia.pdf

Detect False Route Announcements


25

h;ps://stat.ripe.net/widget/bgplay

BGP Routing Table Size


26

CounAng

Source=h;p://www.cidr-report.org/

Detect Route Flapping


27

DetectRouAngtablesize:/systemscheduleraddinterval=5mname=schedule1on-event=detect-routestart-time=startup/systemscriptaddname=detect-routesource=“:localrouteSize[/iprouteprintcount-only];:if($routeSize>5400000)do={/logerror"Yourroutingtableis$routeSize,Routingtableabnormal"}else={/logwarning"Yourroutingtablesizeis$routeSize,normal!"}”

Detect Route Flapping


28

Limit Prefix Number


29

Ifourinfilterreceiveallinternetprefixfromourpeering,weshouldlimitthenumberofprefixbyfollowingcommand:[admin@BGP-ROUTER]>routingbgppeersetnumber=0max-prefix-limit=600000

MikroTik Routing Filter


30

• h;p://wiki.mikroAk.com/wiki/Manual:RouAng/RouAng_filters• Easy way to manage and filter receiving andpropagaAngprefixinMikroTikRouterOS.

• EasywaytosetanyrouAngparameters• Usingipfirewallfilteralgorithm(if-thencondiAon)• CanbeassigninBGPinstance(out-filteronly)andBGPpeering(inandoutfilter)

MikroTik Routing Filter


31

Invalid BGP Route


32

Fromthe636871prefixesthatarecurrentlyintherouAngtable,40445matchatleastoneROA.Fromthesematchedprefixes3678areinvalidwhile36767arevalid.ThelinechartbelowshowsthevalidandinvalidroutesoverthecourseofAme.

h;p://rpki.surfnet.nl/trends.html

RPKI (Resource Public Key Infrastructure)


33

•  h;p://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure•  RPKIisafirststeptosecureBGP•  It allows to cerAfy (and verify) that a prefix isadverAsedbyoriginalAS(inotherwordsthatanIPpointstoitslegiAmateowner)

•  NotyetsupportbyMikroTikRouterOS6• WillbeincludedinRouterOSV7???

“IfyoucannotsurviveintheAredoflearning,thenyouwillbesufferingbythepainofstupidity”(ImamSyafi’i)

THANK YOU FOR YOUR TIME

ID Networkers | www.trainingmikrotik.com Expert Trainer and Consultant

34

IfyouhaveanyotherquesAonsorwouldlikemetoclarifyanythingelse,please,letmeknow.IamalwaysgladtohelpinanywayIcan

Jakarta&Semarang,Indonesia

[email protected]

+628156583545

@mymikroAkwww.facebook.com/ropix

ADDRESS:

WEBSITE:

EMAIL:TELEPHONE:

id.linkedin.com/in/ropix/

rofiq.fauzi

CONTACT

Technology

BGP Security (Mum presentation 2016)