Scribd
Upload
236 views27 pages

Mikrotik BGP Security: Rofiq Fauzi

This document discusses Border Gateway Protocol (BGP) security and prefix hijacking attacks. It provides background on BGP, explaining that BGP allows exchange of routing information between autonomous systems on the Internet. It notes that full trust between BGP peers is a weakness that can allow wrong routing information to spread. Prefix hijacking is described as a misbehavior where a router originates a route for an IP prefix it does not own. Attackers can hijack prefixes by announcing more specific or less specific routes than the legitimate owner. A demo is proposed to show BGP security techniques using a GNS3 topology with MikroTik routers.

Uploaded by

Icha Devi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
236 views27 pages

Mikrotik BGP Security: Rofiq Fauzi

This document discusses Border Gateway Protocol (BGP) security and prefix hijacking attacks. It provides background on BGP, explaining that BGP allows exchange of routing information between autonomous systems on the Internet. It notes that full trust between BGP peers is a weakness that can allow wrong routing information to spread. Prefix hijacking is described as a misbehavior where a router originates a route for an IP prefix it does not own. Attackers can hijack prefixes by announcing more specific or less specific routes than the legitimate owner. A demo is proposed to show BGP security techniques using a GNS3 topology with MikroTik routers.

Uploaded by

Icha Devi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 27

The Biggest MUM in the World

o m
i. c
o b
h o
MikroTik

s a BGP Security
Rofiq Fauzi
Jogjakarta, Indonesia
About Rofiq Fauzi
• Using MikroTik (v.2.97) since 2005, as Network Engineer at WISP.

o m
c
• 2007, Network & Wireless Engineer at INDOSAT Central Java Area

i.
• 2008, IT Network & Telco Procurement at INDOSAT HQ

b
• 2012-Now, MikroTik Consultant & Certified Trainer

o
(MTCNA, MTCRE, MTCTCE, MTCWE, MTCUME, MTCINE) at ID-
Networkers (PT Integrasi Data Nusantara).

h o
• 2013-Now, Network Manager at WISP Indomedianet, Indonesia
• 2013-Now, Network Consulting Engineer at Connexin Limited, Hull, UK

CONSULTANT
CERTIFIED TRAINER
s a http://www.mikrotik.com/consultants/asia/indonesia
http://www.mikrotik.com/training/partners/asia/indonesia

ID Networkers | Training-mikrotik.com 2
Expert Trainer and Consultant
About ID-Networkers EXPERT LEVEL TRAINERS & CONSULTANS

o m
In the Most Prestigious Networking Certification

i. c
OVERVIEW
We are young entrepreneurs, we are only

b
one training partner & consultant who has

o
expert level trainers in the most prestigious
networking certification, CCIE Guru , JNCIE

o
Guru and MTCINE guru, which very limited

h
number in Indonesia even Asia. Proven that
hundred of our students pass the

a
certification exam every year. We are the

s
biggest certification factory in Indonesia.
WEBSITE
www.id-networkers.com

ID Networkers | Training-mikrotik.com 3
Expert Trainer and Consultant
About BGP
• BGP is one of many dynamic routing protocols
o m
• Internet formed by BGP routing

i. c
b
• Designed to exchange routing and reachability

o
information between autonomous systems (AS) on

o
the Internet

h
• BGP also has capability to carrying information about

a
s
diverse routed protocols (ipv4, ipv6, l2vpn, vpnv4)

ID Networkers | Training-mikrotik.com 4
Expert Trainer and Consultant
Interior and Exterior Gateway Protocol

o m
i. c
o b
h o
s a
ID Networkers | Training-mikrotik.com 5
Expert Trainer and Consultant
Interior and Exterior Gateway Protocol
• Interior Gateway Protocol (IGP)
o m
i. c
Handle routing within an Autonomous System (one routing

b
domain). Can be said that the IGP is a routing that works on

o
our proprietary network, or all routers are belong to us.

o
• Exterior Gateway Protocol (EGP)

h
Handles the routing between Autonomous Systems (inter-

a
domain routing). Can be said that the EGP is working or

s
routing between our networks with not our networks.

ID Networkers | Training-mikrotik.com
Expert Trainer and Consultant
6
Autonomous Systems (AS)

o m
• AS is a combination of networks and routers are usually in one

c
ownership or control that has a similar routing protocol.

i.
• AS 16 bit, or use decimal (0 - 65535)

b
• Range 1 - 64511 used for Internet

o
• Range 64512 - 65535 used for private

o
• With 16-bit AS Numbers, only around 65,000 unique numbers are

h
possible.

a
• The introduction of 32-bit ASNs increases the supply of AS Numbers

s
to four billion.
• AS Number allocation is managed by IANA

ID Networkers | Training-mikrotik.com 7
Expert Trainer and Consultant
BGP between AS in the Internet

o m
i. c
o b
h o
s a
ID Networkers | Training-mikrotik.com 8
Expert Trainer and Consultant
IN BGP WE TRUST
Full trust between BGP peers is one of the weaknesses of the protocol.

o m
i. c
o b
LEAK X

h o X

s a
Mr Leak give wrong information to Mr X Mr X give right information but coming
from wrong source
Wrong information will spread to all

ID-Networkers www.training-mikrotik.com 9
Expert Trainer & Consultant
The Internet’s Vulnerable Backbone

o m
i. c
o b
h o
s a
ID Networkers | Training-mikrotik.com 10
Expert Trainer and Consultant
General Types of BGP Attacks
• Prefix Hijack
o m
• Denial of service
i. c
b
• Creation of route instabilities (flapping)

o
h o
s a
ID Networkers | Training-mikrotik.com 11
Expert Trainer and Consultant
Prefix Hijack

o m
• Prefix hijacking, a misbehavior in which a misconfigured or

i. c
malicious BGP router originates a route to an IP prefix it
does not own,

b
• Its is becoming an increasingly serious security problem in

o
o
the Internet

a h
s
ID Networkers | Training-mikrotik.com
Expert Trainer and Consultant
12
How Attackers Can Hijack BGP

o m
i. c
o b
h o
s a
ID Networkers | Training-mikrotik.com 13
Expert Trainer and Consultant
How Attackers Can Hijack BGP

o m
i. c
o b
h o
s a
ID Networkers | Training-mikrotik.com 14
Expert Trainer and Consultant
Demo

m
Topology

co
b i.
oo
a h
s
ID Networkers | Training-mikrotik.com
Expert Trainer and Consultant
15
Demo

o m
Install GNS3, if you didn’t know how to install mikrotik on GNS3, follow our previous

c
MUM presentation slide at: www.mikrotik.com/presentations/ID13/rofiq.pdf

i.
• Create topology (slide 15)
• Configure BGP peering between all AS, don’t forget for AS 234 its using iBGP peer

b
(mesh peering or router refelctor)

o
• Create loopback interface (bridge interface) in Router1 and Router6, and put ip

o
1.1.1.1/32 on the both bridge interfaces.

h
• On Router6, in routing BGP network, advertise network 1.1.1.1/32
• Check in Router1, we can see in IP route, prefix 1.1.1.1 with as path 234,600 that’s

a
mean prefix 1.1.1.1/32 originated from 600

s
• On Router1, in routing BGP network advertise network 1.1.1.1/32 too
• Check in Router1, we can see in IP route, prefix 1.1.1.1 will change as path to 234,100

ID Networkers | Training-mikrotik.com 16
Expert Trainer and Consultant
DDOS Attack
• One of the denial of service (DDOS), happens on mikrotik router’s winbox

o m
c
service when the attacker is requesting continuously a part of a .dll/plugin file

i.
• It raises router’s CPU 100% and other actions. The “other actions” depends on
the routeros version and the hardware.

b
• For example on Mikrotik Router v3.30 there was a LAN corruption, BGP

o
fail, whole router failure

o
• Mikrotik Router v2.9.6 there was a BGP failure

h
• Mikrotik Router v4.13 unstable wifi links

a
• Mikrotik Router v5.14/5.15 rarely stacking

s
• Behaviour may vary most times, but ALL will have CPU 100% . Most routers loose
BGP after long time attack

Ref: http://www.133tsec.com/2012/04/30/0day-ddos-mikrotik-server-side-ddos-attack/

ID Networkers | Training-mikrotik.com 17
Expert Trainer and Consultant
Demo Attack
• Download testing script from

o m
c
http://www.133tsec.com/wp-content/uploads/2012/04/mkDl.zip

i.
• Extract it in your C folder

b
• Run in your windows command prompt

o
C:\> mkDl.py <RouterIPAddress> * 1

o
• Watch your router CPU usage

a h
s
Warning! This content and tool are for education proposed only, I am not responsible for anything that might
happen to you or your routers if you use it to DDOS your router, and or causing any damage or error.

ID Networkers | Training-mikrotik.com
Expert Trainer and Consultant
18
Defend BGP Attacks

o m
c
• Good BGP Router Configuration

i.
• Detect False Route Announcements
• RPKI

o b
h o
s a
ID Networkers | Training-mikrotik.com 19
Expert Trainer and Consultant
Good Router Configuration
Use routing filter to control prefix exchange between BGP peering

o m
c
In Filters

i.
• Don’t accept your own prefixes
• Don’t accept RFC 1918 (private IP address) and other reserved ones (RFC 5735)

b
• Don’t accept default route (unless you need it)

o
• Don’t accept prefixes longer than /24

o
• Don’t accept BOGONS prefixes

h
• Limit your Max Prefix

a
• Limit AS_ Path

s
Out Filters
• Announce only owned prefixes (in case you do not provide transit to other AS’s)

Credit to Wardner Maia, ref: http://mdbrasil.com.br/en/downloads/1_Maia.pdf


ID Networkers | Training-mikrotik.com 20
Expert Trainer and Consultant
MikroTik Routing Filter

o m
• http://wiki.mikrotik.com/wiki/Manual:Routing/Routing_filters

i. c
• Easy way to manage and filter receiving and propagating

b
prefix in MikroTik RouterOS.

oo
• Easy way to set any routing parameters
• Using ip firewall filter algorithm (if-then condition)

a h
• Can be assign in BGP instance (out-filter only) and BGP

s
peering (in and out filter)

ID Networkers | Training-mikrotik.com 21
Expert Trainer and Consultant
MikroTik Routing Filter

o m
i. c
o b
h o
s a
ID Networkers | Training-mikrotik.com 22
Expert Trainer and Consultant
Detect False Route Announcements

o m
i. c
o b
h o
s a https://stat.ripe.net/widget/bgplay

ID Networkers | Training-mikrotik.com 23
Expert Trainer and Consultant
Detect Route Flapping

m
Detect Routing table size:
/system scheduler

co
i.
add interval=5m name=schedule1 on-event=detect-route start-

b
time=startup

o
/system script

o
add name =detect-route

h
source=“:local routeSize [/ip route print count-only];

a
:if ($routeSize > 5400000) do={/log error " Your routing table

s
is $routeSize , Routing table abnormal"} else={/log warning "
Your routing table size is $routeSize , normal!"}”

ID Networkers | Training-mikrotik.com 24
Expert Trainer and Consultant
Detect Route Flapping

o m
i. c
o b
h o
s a
ID Networkers | Training-mikrotik.com 25
Expert Trainer and Consultant
RPKI (Resource Public Key Infrastructure)

o m
c
• http://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure

i.
• RPKI is a first step to secure BGP

b
• It allows to certify (and verify) that a prefix is

o
advertised by original AS (in other words that an IP
points to its legitimate owner)

h o
a
• Not yet support by MikroTik RouterOS 6

s
• Will be included in RouterOS V7 ???

ID Networkers | Training-mikrotik.com 26
Expert Trainer and Consultant
If you have any other questions or would like me to clarify anything

m
else, please, let me know. I am always glad to help in any way I can

c o
i.
CONTACT
ADDRESS: Jakarta & Semarang, Indonesia

b
WEBSITE: www.training-mikrotik.com

o
EMAIL: [email protected]
TELEPHONE: +62 8156583545

o
@mymikrotik

h
THANK YOU www.facebook.com/ropix

a
id.linkedin.com/in/ropix/

FOR YOUR TIME rofiq.fauzi

s
“If you cannot survive in the tired of learning, then you will be suffering by the pain of stupidity” (Imam Syafi’i)

ID Networkers | Training-mikrotik.com
Expert Trainer and Consultant 27

You might also like