Protecting Internet Route Integrity

Recently I gave one speech in CyberSec 2020 conference hosted by iThome and talked about Internet route integrity. This article will note something regarding this event briefly and hope helping anyone interested in this field.

There are 2 major component composed Internet: Autonomous System (AS) and Internet Address (IP). IANA (Internet Assigned Numbers Authority) holds these 2 Internet number resources. IANA delegates Internet resources to 5 RIRs (Regional Internet Registry) which are AFRINIC, ARIN, APNIC, LACNIC and RIPE NCC. RIRs will assign these Internet number resources to companies or organizations which would provide Internet service. For example, Google will use AS15169 to peer with Apple AS714 to exchange routing and reachability information — IP Prefixes information.

How do two Autonomous Systems exchange these kind of information? What protocol do they use? There is one standardized exterior gateway protocol designed to exchange these kind of information which is called BGP (Border Gateway Protocol). RFC4271 is the dedicate publication for BGP. There are few attributes for finding out the best route in BGP, attributes are listed below:

1. Weight — Cisco proprietary
2. Local Preference
3. AS Path
4. Origin Code
5. Multi-Exit Discriminator
6. Next Hop
7. Community

There are two different type of BGP. The first one is iBGP and the second one is eBGP. It depends on if two AS numbers are same or not. Since there are lots of companies and organizations peering to each other and exchanging their IP prefixes information, the global Internet routing table is huge. At the moment, there are around 846396 prefixes in global Internet routing table.

There are three BGP problems as far, AS path manipulation, prefixes origin hijacking and route leak. I will brief each of them below:

0x01 AS Path Manipulation

Just like what I mentioned above, BGP will compare the attributes and select the best route. For AS Path this attribute, the shortest AS_PATH will win. So this type of problem is that there is one malicious AS change the original AS_PATH of one update to the shorter one and announce it. The ASes neighboring with this malicious AS might prefer the path going through this malicious AS. Please see below picture:

0x02 Prefixes Origin Hijacking

This type of problem is that the malicious AS will pretend owning the prefixes which are not actually owned. For example, AS100 may announce he owns 100.100.100.0/24 which is actually owned by AS200. Another case is that malicious AS might announce more specific prefix to partially hijack the traffic. For example, AS100 may announce he owns 100.100.100.0/24 which is part of 100.100.0.0/16 which is actually owned by AS200. Please see below picture:

0x03 Route Leak

A route leak is the propagation of routing announcement(s) beyond their intended scope. The result of a route leak can be redirection of traffic through an unintended path that may enable eavesdropping or traffic analysis and may or may not result in an overload or black hole. This type of problem is usually caused by accident or fat-fingers. There are 6 types defined in RFC7908:

1. Type1: Hairpin Turn with Full Prefix
2. Type2: Lateral ISP-ISP-ISP Leak
3. Type3: Leak of Transit-Provider Prefixes to Peer
4. Type4: Leak of Peer Prefixes to Transit Provider
5. Type5: Prefix Re-origination with Data Path to Legitimate Origin
6. Type6: Accidental Leak of Internal Prefixes and More-Specific Prefixes

If you are interested in the detail of 6 types route leak, you could visit the following website:

RFC 7908 - Problem Definition and Classification of BGP Route Leaks

There are three defense ways to mitigate all the BGP problems. Let’s brief each of them below:

0x01 Prefixes or AS_PATH Filtering

You could setup the filter to manage which prefixes or AS_PAHT you want to receive or announce. Here comes some practices below:

1. Do filter on both sides of eBGP
2. Limit AS_PATH in announced prefixes
3. Announce only owned prefixes
4. Filter out prefixes and accept only prefixes with length /24 and less
5. Filter default route
6. Limit maximum prefixes

0x02 BGPSec

BGPSec is used to prevent AS Path Manipulation problem. Every BGPSec router will verify received BGPSec_PATH. The first BGPSec router will use its private key to sign the prefixes and path information and the second BGPSec router will use the public key of first BGPSec router to verify the prefixes and path information. Please see below picture:

0x03 Resource PKI

RPKI is a specialized public key infrastructure (PKI) framework designed to secure the Internet’s routing infrastructure can be used by the legitimate holders of the resources to control the operation of Internet routing protocols to prevent route hijacking and other attacks. In RPKI, the most important component is ROA (Route Origin Authorization). ROA is an attestation of a BGP route announcement. It attests that the origin AS number is authorized to announce the prefixes. ROA contains the following 3 information:

1. IP Prefixes
2. Maximum Length
3. Autonomous System

I the real world, we usually implement one validator server to be responsible for validating the received routes is correct or not. Please see the below picture:

One router could confirm received prefixes is correct or not via RPKI this way to avoid BGP hijacking this kind of attack.

Since I only had 30 mins for my presentation and didn’t have enough time to do live demo all the BGP problems. I create one Github repo for it. If you are interested in BGP problem, please visit the following Github repo:

jieliau/cybersec2020_poc

I also coded one tool that you could use it to grep any public information for one Autonomous System, like public peering exchange points, private peering facilities, adjacency ASes and prefixes, etc. If you are interested in it, you could also visit the following Github repo:

jieliau/asnChecker

You could also check my deck for iThome CyberSec2020 conference. Please visit the following website:

Hope you guys like this article and help you in any way. Thanks. Enjoy it.