top of page
BGP Security Challenges & MANRS Actions in Avoiding Incidents

If you look up the definition of BGP in Wikipedia it defines as “Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information between autonomous systems (AS) on the Internet. The protocol is often classified as a path vector protocol but is sometimes also classed as a distance-vector routing protocol”. 

 

In another word, is a routing method that enables the Internet to function. Because without it, we wouldn’t be able to do a Google search or send an email and this is where it gained its importance. There are ~60,000 networks (Autonomous Systems) across the Internet, each using a unique AS to identify itself to other networks. However, like any complex protocol, BGP can have its issues, whether minor configuration differences among vendors’ implementations or major, show-stopping errors, such as the publication of massive lists of mis advertised routes by replacing the source IP address with a fake  IP address from the IP packets to hide the real identity of the sender.

Another BGP challenges such as Prefix Hijacking, Router Leaks, and IP Spoofing. 

(a)                                                                                                    (b)

Mutually Agreed Norms for Routing Security (MANRS) 

Those problems can be solved using MANRS which is developed by the Internet Society (ISOC). It is a nonprofit with 100K+ members globally. ISOC ‘provides a corporate structure to support the Internet standards development process’. Founded in 1992 by Vint Cerf and Bob Kahn.

 

- ISOC vision is “We envision a future in which people in all parts of the world can use the Internet to improve their quality of life, because standards, technologies, business practices, and government policies sustain an open and universally accessible platform for innovation, creativity, and economic opportunity.”

- ISOC Mission: Ensure the Internet is open, globally-connected, secure, and trustworthy for everyone • Network safety depends on the actions of others. By implementing MANRS, you contribute to the safety of R&E routing. 

In diagram (a), you can see what happened when AS15169 announces its prefix (8.8.8.0/24), and traffic from AS64501 is directed to the AS15169. Without prefix filters in place, an attacker can exploit GBP and announce the same prefix.

In diagram (b) A route leak is the propagation of routing announcements beyond their intended scope. It can occur when a customer announces routes they learned from a transit provider to another transit provider.

MANRS Defense Actions 

- Access Control List (ACL) and Filtering: Access control list (ACL) used to deny private IP addresses on your sown stream interface, while filtering is used on both inbound and outbound traffic 

Building Prefix Filters

Using an IRR to produce a prefix filter can be done in the following circumstances:

  1. Specific-prefix outbound filter of your network to peer and upstream (required)

  2. Specific-prefix inbound filter from customers (required)

  3. Specific-prefix inbound filter of peers to your network (recommended)

If an ISP customer allocation block is 192.51.100.0/24, the ACL would permit packets with a source address from 192.51.100/10 and deny packets that originate from different source addresses for example 192.0.2.1.
  • Ensure the correctness of your own announcements and announcements from your customers to adjacent networks with prefix and ASpath granularity.
  • The network operator is able to communicate to their adjacent networks which announcements are correct.
  • Network operator applies due diligence when checking the correctness of their customer’s announcements, specifically that the customer legitimately holds the ASN and the address space it announces.
  • Up-to-date filters prevent malicious attempts to divert traffic. (More info)
MANRS Defense Action

- Anti-Spoofing: IP source address spoofing is the practice of originating IP datagrams with source addresses other than those assigned to the host of origin. Simply the host pretends to be some other host.

Spoofing can be exploited in various ways, most notably to execute DDoS Refection-Amplification attack. Reflection occurs when an attacker sends traffic to a victim via a third party. Amplification is achieved by small queries resulting in much larger responses. Open DNS resolvers and ntp servers are commonly used as reflectors/amplifiers. (More Info)

MANRS Defense Action

-Coordination: Facilitate global operational communication and coordination between network operators Maintain globally accessible up-to-date contact information in common routing databases.

- Regional Internet Registries* (RIRs): ARIN, APNIC, RIPE, etc. For North America, it’s ARIN. Add/maintain your NOC or network administrator contact information.

- Since Internet Routing Registries* (IRR) are used to validate routing information, keeping contact information for those objects up-to-date is important.

- Maintaining Contact Information in PeeringDB. Primarily applicable to regionals, or those who peer. (More Info)

Global communication between network operators

MANRS participants should publish and maintain their contact information to their region’s RIR Whois Database, IRR Database, Peering DB, and their company website.

MANRS Defense Action

- Global Validation: Facilitate validation of routing information on a global scale. 

The MANRS action for Global Validation requires network operators to ensure that their network’s routing information is publicly available including the announcement that the network originates as well as the routing policy describing how reachability info exchanged with other network is handled. 

Step 1: The attacker announces the prefix of another network (AS X is announcing the prefix owned by AS64501), which propagates and accepted by neighboring (ASes B, and ASes A).                                 
Step 2: the announcement by the attacker causes traffic that destined to AS64501 to be directed to the attacker’s AS (ASX)                           
Step 3: If AS64501 publishes a network routing policy, it is able to mitigate the threat of prefix hijacking. AS B and (other networks) are able to lookup AS64501’s routing information to establish the true owner of the announced prefix.                                 
Step 4: The traffic if directed to the correct AS (AS64501) regardless of whether the attacker has announced AS64501’s prefix. This is what is known as the original validation. (More Info)                                 
More About MANRS Training Modules 
bottom of page