Lesson 6 SAFE Best Practices for Securing Routing Protocols © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.16-1

The Routing System Overview © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.16-2

© 2005 Cisco Systems, Inc. All rights reserved. CSI v The Routing System Routing protocols and routing systems are vulnerable to attacks. Routing systems consist of three major pieces: –Routing protocol –Devices that are actually running the routing protocols –Topology information that is carried within the routing protocol It is necessary to protect each piece of the routing system.

Types of Attacks Against Routing Systems © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.16-4

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Types of Attacks Against a Routing System Falsifying routing information –Misdirecting traffic to form a routing loop –Misdirecting traffic to a monitoring point –Misdirecting traffic to a black hole Disrupting peering –Port flooding –Protocol semantics peering attacks –Compromising a legitimate member of the routing domain –Masquerading as a member of the routing domain –Modifying routing information passed between routers

© 2005 Cisco Systems, Inc. All rights reserved. CSI v D A C Inject false routing information toward C that /32 is reachable through A Path to with false routing information injected Normal Best Path / Misdirecting Traffic to Form a Routing Loop

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Misdirecting Traffic Around a Protected Path A B E GH C F D Modified Best Path Monitoring Station Remote Site Corporate Site 1 Corporate Site 2 Service Provider Encrypted Tunnel Inject false routing information toward E that /32 is reachable through H /24 Normal Best Path

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Misdirecting Traffic into a Black Hole A B DE C /24 Lab Network X Normal Best Path to Modified Best Path to Traffic Discarded Filter blocking all data from corporate network Inject false routing information toward A that /32 is reachable through D Attacker

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Abusing Routing Stability Features to Reduce Network Availability These types of attacks normally fall within the realm of denial-of-service attacks. Two possible attacks using routing protocol stability features to reduce network availability are: –Forcing BGP peer dampening by injecting flapping routing information –Forcing the routing protocol to converge more slowly by injecting flapping routing information

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Route Dampening Theory /24 Dampening is configured here. This link is flapping. B A eBGP

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Route Dampening Theory (Cont.) At the half-life seconds, the penalty is halved (set to 500). Third flap; penalty set to = Dampened! First flap; penalty set to Second flap; penalty set to = Fourth flap, while dampened, penalty set to = Damp Threshold A half-life later, penalty set to A few seconds later, the penalty reaches the reuse threshold. A half-life later, penalty set to 525. A half-life later, penalty set to 262 and continues decreasing.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Attacking Through Routing Stability Features Attacker Send Constant Routing Changes Best Path A B C D E Fast Alternate Path

Attacking a Routing System © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Attacking a Routing System These techniques could be used to disrupt peering or to inject false routing information: Port flooding Protocol semantics peering attacks Compromising a legitimate member of the routing domain Masquerading as a member of the routing domain Modifying routing information passed between routers

© 2005 Cisco Systems, Inc. All rights reserved. CSI v TCP SYN Flood Attack Using a TCP SYN flood attack to impact BGP peering: ABC Attacker Internal Attacker eBGP TCP SYN Flood

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Breaking a BGP Peering Session through a TCP RST: A B C Attacker TCP RST eBGP Breaking BGP Peering Session

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Breaking IGP through false packet injection: AB Attacker IGP Session False Reset Breaking IGP Peering

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Attacks Against Peering Session These types of attacks are possible against a peering session: Compromising a legitimate member of the routing domain Masquerading as a member of the routing domain Modifying routing information passed between routers

Protecting Routing Domain Legitimacy © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Protecting Routers from Being Compromised The following are general guidelines for securing routers: Lock down Telnet access to a router. Lock down SNMP access to a router. Control access to a router through the use of TACACS+. Turn off unneeded services. Log at appropriate levels. Authenticate routing updates.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Protecting Routing Information on the Wire The best way to protect routing information on the wire is to authenticate routing protocol packets using MD5 or IPSec signatures.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v IPSec Modes of Operation IP HeaderAHESP Payload ESP IP Header Payload Authenticates the packet contents Encrypts the payload Protects the payload but the IP header is part of the payload Tunnel Mode Transport Mode

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Preventing IGP Attacks Preventing IGP attacks through a domain border: Attacker External BGP Injecting IGP routing packets Block all IGP packets here Autonomous System C A B Interior Gateway Protocol

© 2005 Cisco Systems, Inc. All rights reserved. CSI v MD5 and Peer Authentication Issues Following are SAFE guidelines for using passwords: Pick hard-to-guess and hard-to-break passwords. Do not use the same password on a large number of devices throughout your network. Change passwords on a regular basis. Passwords that are shared outside the routing domain should not be used inside the routing domain.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v TTL-Based Peering Session Protection A BC Attacker BGP Attack Packets External BGP

Protecting Routing Information © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Protecting Routing Information Beware of possible impacts of exchanging routing information with outside networks. Use an exterior gateway protocol for all extranet connections. Aggressively filter routes at the extranet edge. Aggressively dampen prefixes aggressively at the extranet edge. Limit route count at the extranet edge.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Impacts of Exchanging Routing Information Flapping Link New Segment /24 C BD E F H GA XYZ Ltd. UVW Corp.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Use an Exterior Gateway Protocol for all Extranet Connections For all connections to extranets, never use an IGP to dynamically exchange routing information with an outside routing domain.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Aggressively Filter Routes at the Extranet Edge Network edge should deny all routes by default, permitting only those necessary to reach the hosts and servers needed in each network. The outside peer should not advertise again routes to other peers. Use Autonomous System Path filters on every external BGP peering session in a network.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Aggressively Dampen Prefixes at the Extranet Edge Route dampening addresses concerns about constantly-changing routing information impacting the stability and convergence times of local routing.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Limiting Route Count at the Extranet Edge Prevent an outside network from overloading a network by limiting the number of routes that a router can learn through BGP from the extranet.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Extranet Connection Example All Servers in /24 All Servers in /22 All Servers in / / / /24 Big Shoes Corp. Autonomous System Little Shoes Corp. Autonomous System External BGP BGP A C B D Medium Sock Ltd. AS65000

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Protecting Against Transit Two service providers transiting traffic through ABC Ltd. Autonomous System Autonomous System Autonomous System The Internet ABC Ltd. Autonomous System Autonomous System /24 Autonomous System 65005

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Filtering Routes Within a Network Network Core Filter blocks anything not in /20 inbound / / / /24 A BCDE / /24 Summary

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Transit Traffic and Traffic Segregation Transit Link with Attached Servers Transit Link FGHFGH A BCD E

Future Directions in Routing Protocols Security © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Future Directions in Routing Protocols Security Future directions in routing protocols security are: Protecting routing information on the wire Protecting against illegitimate devices, joining the routing domain Protecting routing information

Summary © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary Routing is increasingly being scrutinized for security vulnerabilities and possible solutions. Two categories of attacks against routing systems are: –Disrupting peering –Falsifying routing information Routing systems are vulnerable to the following attacks: –Port flooding –Protocol semantics peering attacks –Compromising a legitimate member of the routing domain –Masquerading as a member of the routing domain –Modifying routing information passed between routers Routing domain legitimacy can be protected by: –Protecting routers from being compromised –Protecting routing information on the wire –Protecting against illegitimate devices, joining the routing domain –Other issues with MD5 and peer authentication –TTL-based peering session protection (BGP TTL security hack)

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary (Cont.) SAFE practices for protecting routing information are: –Monitor extranet connections –Use an exterior gateway protocol for all extranet connections –Aggressively filter routes at the extranet edge –Aggressively dampen prefixes at the extranet edge –Limiting route count at the extranet edge –Sample extranet BGP configuration –Monitor connections to the Internet –Monitor connections within the network –Route filtering within the network Future directions in routing protocols security are: –Protecting routing information on the wire –Protecting against illegitimate devices, joining the routing domain –Protecting routing information