Securing the TCP Session

Risks do not just occur at the BGP protocol level. A potential attacker could attack the control plane by sending masses of packets to the BGP port, triggering a denial of service. The first step is to restrict the communication relationships for the socket setup. Stateless packet filters – access control lists (ACLs) – can be used for this purpose, specifically to make sure that the target port for BGP (TCP/179) is only accessible from legitimate source IP addresses.

However, this alone is not enough. It is also important to ensure the authenticity and integrity of the data. Otherwise, an attacker could carry out blind insertion and replay or reset attacks. Blind insertion means an attacker attempting to inject false routing information or a session reset (i.e., a termination) with a spoofed IP address on a router that is not secured by authentication. The big challenge, however, is that the TCP sequence number must match the expected segment, which requires both knowledge of the current session and correct timing. If a session reset occurs, a completely new setup is required, which means learning hundreds of thousands of items of routing information; the end effect is a denial of service as it is happening.

Authentication by cryptographic procedures can provide a remedy. However, outdated procedures such as MD5, which are now considered insecure, are still mostly used. A symmetric key is available on both peers. Each TCP segment contains a previously calculated message authentication code (MAC). The recipient checks this before accepting it on the basis of the content in TCP headers, the content data, and the configured symmetric key. If calculations return a different result than the received value, the receiving router does not accept the segment.

Despite MD5 being considered vulnerable for years because of possible collisions, changing the key with this method would result in the TCP session being terminated. Consequently, a new BGP session is created and prompts relearning of the routing information, which will take some time.

The TCP authentication options (TCP-AOs) method was developed as an optimized procedure and standardized in RFC5925. This procedure enables the key to be exchanged without interrupting the TCP session and, as a result, the BGP session; avoiding interruptions is particularly beneficial for long-term TCP sessions such as BGP. TCP-AO is only used to check the authenticity of the sender, with no encryption of the user data, unlike the Transport Layer Security (TLS) or Internet Protocol Security (IPSec) protocols. The TCP-AOs are based on master key tuples (MKTs) for this purpose. Management can be carried out both statically and by an out-of-band mechanism. The connection keys (traffic keys) are then derived from the MKTs.

Black Holes

For some years now, attacks that restrict or completely prevent the accessibility of services have been on the rise. These attacks, known as denial of service (DoS) or, in the case of multiple sources, distributed denial of service (DDoS), can be launched at either the network or application level. Network-level DoS and DDoS attacks are aimed at overloading network connections. Volumetric attack is another way of putting this. Attacks at the application level (e.g., on web servers) exploit vulnerabilities in applications or specific application behavior to take down the servers. In both variants, the first step is to detect the traffic pattern and then filter, limit, or redirect the data traffic.

Because volumetric attacks in particular are associated with high data rates that connections cannot handle, it is important to intercept this data traffic up front. One conceivable method would be blackholing [6] on the provider side, which means a router drops all packets to a specific destination into a null route.

This strategy would allow the upstream provider to be informed by BGP that it needs to drop packets to specific target IP addresses – also known as remotely triggered black hole routing (RTBH). The customer sends a /32 prefix for IPv4 or /128 for IPv6 with the attacked target IP address and BGP community 666 to the peer. However, because peers do not accept these host prefixes by default, specific coordination with the provider is required. In this case, the IP address also is no longer accessible, but overloading of the connection then stops and other services are no longer affected.

Conclusions

BGP is still a fundamental component of the Internet in 2024, although not many people are familiar with the background information. Routing failures from misconfigurations or attacks, for example, can have an enormous effect, even if only in some areas because of the decentralized structure of the Internet. Because of the ever-increasing dependence on online services, you need to keep an eye on BGP and look into options for securing it.