Upload
rofiq-fauzi
View
880
Download
4
Embed Size (px)
Citation preview
MikroTik BGP Security
By:RofiqFauziMUMKualaLumpur
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
2
About Rofiq Fauzi
CONSULTANTCERTIFIEDTRAINER
h;p://www.mikroAk.com/consultants/asia/indonesia
• UsingMikroTik(v.2.97)since2005,asNetworkEngineeratWISP.• 2007,Network&WirelessEngineeratINDOSATCentralJavaArea• 2008,ITNetwork&TelcoProcurementatINDOSATHQ• 2012-Now,MikroTikConsultant&CerAfiedTraineratID-Networkers(PTIntegrasiDataNusantara).
• 2013-Now,NetworkManageratWISPIndomedianet,Indonesia• 2013-Now,NetworkConsulAngEngineeratConnexinLimited,Hull,UK
h;p://www.mikroAk.com/training/partners/asia/indonesia
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
3
About ID-Networkers IntheMostPresAgiousNetworkingCerAficaAon
EXPERTLEVELTRAINERS&CONSULTANS
OVERVIEW We are young entrepreneurs, we are onlyone training partner & consultant who hasexpert leveltrainers inthemostpresAgiousnetworking cerAficaAon, CCIE Guru , JNCIEGuru andMTCINE guru, which very limitednumber inIndonesiaevenAsia.Proventhathundred of our students pass thecerAficaAon exam every year. We are thebiggestcerAficaAonfactoryinIndonesia.
WEBSITE www.idn.id|www.trainingmikroAk.com
OUR PROJECT IN MALAYSIA
Project Langkawi ProjectWi-Fi1MalaysiainalltourismparkinLangkawiIsland;CenangBeach,PulauTuba,PulauDayangBunAng,CableCar,etc.
IntegratedWi-FinetworkwithcentralizehotspotuserinKLarea,includingapartment,university,publicarea,etc.
WiFi in KL
ID Networkers | www.trainingmikrotik.com Expert Trainer and Consultant 4
Project in Melaka Wi-FiprojectatSekolahALAM,JabatanLaut,someUniversityandHondaMelaka,etc.
About BGP
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
5
• DesignedasExteriorGatewayProtocol• InternetformedbyBGProuAng• BGPalsohascapabilitytocarryinginformaAonaboutdiverseroutedprotocols(ipv4,ipv6,l2vpn,vpnv4)
BGP Multiprotocol Capabilities
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
6
Interior and Exterior Gateway Protocol
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
7
• InteriorGatewayProtocol(IGP)Handle rouAngwithinanAutonomousSystem (one rouAngdomain).CanbesaidthattheIGPisarouAngthatworksonourproprietarynetwork,orallroutersarebelongtous.
• ExteriorGatewayProtocol(EGP) Handles the rouAng between Autonomous Systems (inter-domain rouAng). Can be said that the EGP is working orrouAngbetweenournetworkswithnotournetworks.
AS1 AS2
Interior and Exterior Gateway Protocol
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
8
InteriorGatewayProtocol:OSPF,IS-IS,IGRP,EIGRP,RIP
ExteriorGatewayProtocol:BGP
Autonomous Systems (AS)
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
9
• AS is a combinaAon of networks and routers are usually in oneownershiporcontrolthathasasimilarrouAngprotocol.
• AS16bit,orusedecimal(0-65535)• Range1-64511usedforInternet• Range64512-65535usedforprivate
• With 16-bit AS Numbers, only around 65,000 unique numbers arepossible.
• TheintroducAonof32-bitASNsincreasesthesupplyofASNumberstofourbillion.
• ASNumberallocaAonismanagedbyIANA
BGP between AS in the Internet
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
10
h;ps://www.pasternack.com/t-calculator-fspl.aspx
BGP between AS in the Internet
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
11
h;p://bgp.he.net/
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
12
Full trust between peers is one of the weaknesses of the protocol
IN BGP WE TRUST
AS100givewronginformaAontoAS200
ID Networkers | www.trainingmikrotik.com Expert Trainer and Consultant 13
AS200givetherightinformaAonbutcomingfromwrongsource
WronginformaAonwillspreadtonetwork
LEAK XX
The Internet’s Vulnerable Backbone
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
14
Types of BGP Attacks [workshop]
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
15
• PrefixHijack• Denialofservice• CreaAonofrouteinstabiliAes(flapping)
Prefix Hijack
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
16
• Prefixhijacking,amisbehavior inwhichamisconfiguredormalicious BGP router originates a route to an IP prefix itdoesnotown,
• Its is becoming an increasingly serious security problem intheInternet
How Attackers Can Hijack BGP
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
17
How Attackers Can Hijack BGP
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
18
Demo in GNS3
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
19
Topology
Demo
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
20
• InstallGNS3,ifyoudidn’tknowhowtoinstallmikroAkonGNS3,followourpreviousMUMpresentaAonslideat:[email protected]/presentaAons/ID13/rofiq.pdf
• Createtopology(slide15)• Configure BGP peering between all AS, don’t forget for AS 234 its using iBGP peer
(meshpeeringorrouterrefelctor)• Create loopback interface (bridge interface) in Router1 and Router6, and put ip
1.1.1.1/32onthebothbridgeinterfaces.• OnRouter6,inrouAngBGPnetwork,adverAsenetwork1.1.1.1/32• Check inRouter1,wecansee in IP route,prefix1.1.1.1withaspath234,600 that’s
meanprefix1.1.1.1/32originatedfrom600• OnRouter1,inrouAngBGPnetworkadverAsenetwork1.1.1.1/32too• CheckinRouter1,wecanseeinIProute,prefix1.1.1.1willchangeaspathto234,100
DOS Attack
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
21
Ref:h;p://www.133tsec.com/2012/04/30/0day-ddos-mikroAk-server-side-ddos-a;ack/
• One of the denial of service (DDOS), happens on mikroAk router’s winboxservicewhenthea;ackerisrequesAngconAnuouslyapartofa.dll/pluginfile
• Itraisesrouter’sCPU100%andotheracAons.The“otheracAons”dependsontherouterosversionandthehardware.
• For example onMikroAk Router v3.30 there was a LAN corrupAon, BGP fail,wholerouterfailure• MikroAkRouterv2.9.6therewasaBGPfailure• MikroAkRouterv4.13unstablewifilinks• MikroAkRouterv5.14/5.15rarelystacking
• Behaviour may vary most Ames, but ALL will have CPU Usage 100% . MostrouterslooseBGPaperlongAmea;ack
Demo DOS Attack
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
22
• DownloadtesAngscriptfromh;p://www.133tsec.com/wp-content/uploads/2012/04/mkDl.zip
• ExtractitinyourCfolder• Runinyourwindowscommandprompt
C:\>mkDl.py<RouterIPAddress>DoS[Winboxplugindownloader][+]Hmmmwegonnaattackit..[+]Indexreceived![+]Requestingfileroteros.dlltilldeath:)Sendingevilpacket..pressCTRL-Ctostop–
- WatchyourrouterCPUusage
Warning!ThiscontentandtoolareforeducaAonproposedonly, IamnotresponsibleforanythingthatmighthappentoyouoryourroutersifyouuseittoDDOSyourrouter,andorcausinganydamageorerror.
Defend BGP Attacks
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
23
• AlwaysUpdateyourRouterOS• GoodBGPRouterConfiguraAon• DetectFalseRouteAnnouncements• RPKI
Good Router Configuration
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
24
UserouAngfiltertocontrolprefixexchangebetweenBGPpeeringInFilters• Don’tacceptyourownprefixes• Don’tacceptRFC1918(privateIPaddress)andotherreservedones(RFC5735)• Don’tacceptdefaultroute(unlessyouneedit)• Don’tacceptprefixeslongerthan/24• Don’tacceptBOGONSprefixes• LimityourMaxPrefix• LimitAS_Path
OutFilters• Announceonlyownedprefixes(incaseyoudonotprovidetransittootherAS’s)
CredittoWardnerMaia,ref:h;p://mdbrasil.com.br/en/downloads/1_Maia.pdf
Detect False Route Announcements
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
25
h;ps://stat.ripe.net/widget/bgplay
BGP Routing Table Size
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
26
CounAng
Source=h;p://www.cidr-report.org/
Detect Route Flapping
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
27
DetectRouAngtablesize:/systemscheduleraddinterval=5mname=schedule1on-event=detect-routestart-time=startup/systemscriptaddname=detect-routesource=“:localrouteSize[/iprouteprintcount-only];:if($routeSize>5400000)do={/logerror"Yourroutingtableis$routeSize,Routingtableabnormal"}else={/logwarning"Yourroutingtablesizeis$routeSize,normal!"}”
Detect Route Flapping
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
28
Limit Prefix Number
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
29
Ifourinfilterreceiveallinternetprefixfromourpeering,weshouldlimitthenumberofprefixbyfollowingcommand:[admin@BGP-ROUTER]>routingbgppeersetnumber=0max-prefix-limit=600000
MikroTik Routing Filter
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
30
• h;p://wiki.mikroAk.com/wiki/Manual:RouAng/RouAng_filters• Easy way to manage and filter receiving andpropagaAngprefixinMikroTikRouterOS.
• EasywaytosetanyrouAngparameters• Usingipfirewallfilteralgorithm(if-thencondiAon)• CanbeassigninBGPinstance(out-filteronly)andBGPpeering(inandoutfilter)
MikroTik Routing Filter
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
31
Invalid BGP Route
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
32
Fromthe636871prefixesthatarecurrentlyintherouAngtable,40445matchatleastoneROA.Fromthesematchedprefixes3678areinvalidwhile36767arevalid.ThelinechartbelowshowsthevalidandinvalidroutesoverthecourseofAme.
h;p://rpki.surfnet.nl/trends.html
RPKI (Resource Public Key Infrastructure)
ID Networkers | www.trainingmikrotik.com ExpertTrainerandConsultant
33
• h;p://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure• RPKIisafirststeptosecureBGP• It allows to cerAfy (and verify) that a prefix isadverAsedbyoriginalAS(inotherwordsthatanIPpointstoitslegiAmateowner)
• NotyetsupportbyMikroTikRouterOS6• WillbeincludedinRouterOSV7???
“IfyoucannotsurviveintheAredoflearning,thenyouwillbesufferingbythepainofstupidity”(ImamSyafi’i)
THANK YOU FOR YOUR TIME
ID Networkers | www.trainingmikrotik.com Expert Trainer and Consultant
34
IfyouhaveanyotherquesAonsorwouldlikemetoclarifyanythingelse,please,letmeknow.IamalwaysgladtohelpinanywayIcan
Jakarta&Semarang,Indonesia
+628156583545
@mymikroAkwww.facebook.com/ropix
ADDRESS:
WEBSITE:
EMAIL:TELEPHONE:
id.linkedin.com/in/ropix/
rofiq.fauzi
CONTACT