BGP Attack Tree - PowerPoint PPT Presentation

About This Presentation
Title:

BGP Attack Tree

Description:

BGP Attack Tree draft-convery-bgpattack-01.txt http://www.ietf.org/internet-drafts/draft-convery-bgpattack-01.txt Sean Convery David Cook Matt Franz – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 9
Provided by: SeanCo91
Category:
Tags: bgp | attack | fiji | tree

less

Transcript and Presenter's Notes

Title: BGP Attack Tree


1
BGP Attack Tree
  • draft-convery-bgpattack-01.txt
  • http//www.ietf.org/internet-drafts/draft-convery-
    bgpattack-01.txt
  • Sean Convery
  • David Cook
  • Matt Franz

2
Motivations
  • Develop formal analysis of potential threats to
    and using BGP from the adversarys perspective
  • Create threat profile useful for evaluating BGP
    security improvements
  • Provide foundation for vulnerability testing of
    new and existing BGP implementations
  • Facilitate repeatable testing methodology by
    third parties
  • Organize the material in a modular and reusable
    way

3
Why Attack Trees?
  • Provide well documented method of exploring every
    possibility an adversary has (technical and
    non-technical).
  • Data presentation in tree format allows
  • Easy gap identification
  • Selective elaboration based on location in the
    tree
  • Ability to assign attributes for nodes of the
    tree
  • Impact of the attack
  • Ease of attack execution
  • Cost of the attack
  • Presence of countermeasures (such as best
    practices)
  • Access/trust requirements to conduct attack
  • http//www.ddj.com/documents/s896/ddj9912a/9912a.
    htm
  • http//www.cert.org/archive/pdf/01tn001.pdf

4
Changes Since version 00
  • Minor spelling, wording fixes
  • Merged tree element 2.1.1.3.1 with 2.1.1.3.1.1
  • Fixed tree mistake in 2.1.3.2.2
  • Clarified definition of permissive router in
    section 2.1.2
  • Fixed ORs in 2.1.5.3 and 2.1.5.4
  • Reworked 2.1.5.4.1 (Update flooding) per list
    comments
  • Clarified 2.1.3 based on list comments
  • Added reference to NANOG BGP testing prezo and
    integrated portions of results into draft
  • http//www.nanog.org/mtg-0306/pdf/franz.pdf
  • Switched to mnemonic references instead of
    numbers

5
Some Fun from the NANOG Talk
  • NANOG / BlackHat Talk had numerous tests
    performed, for more info, check out the whole
    talk. These next 3 slides are just a quick
    sample.
  • One Goal was to non-intrusively assess basic BCP
    adoption through probes from an arbitrary IP
    address
  • Limit scanning to prevent production impacta
    single SYN with no retries
  • Build table of potential BGP speakers by running
    traceroutes to approx. 120,000 hosts (one for
    each CIDR block in the Internets route table)
  • Probes
  • Send 1 x TCP SYNs to ports 22, 23, 80, 179
  • Embed message in payload identifying probes as
    non-malicious
  • Measure response (SYN ACK, RST, No Response)
  • Send BGP OPEN to those that SYN-ACK on port 179
  • Sessions used an unused AS
  • Record BGP message that is returned

6
Active ISP Survey Results (Summary)
  • SSH daemons 6,349
  • Telnet daemons 10,907
  • HTTP Servers 5,565
  • 16,815 routers were reachable on at least one
    admin interface (14.5 of probed routers)
  • Based only on receipt of SYN-ACK, so daemons
    that you can actually connect() to could be lower!
  • Total non-1918 routers probed 115,466
  • BGP Speakers
  • SYN-ACK - 4,602
  • RST - 3,088
  • No Response - 107,777
  • BGP Open Test Results
  • OPEN / NOTIFICATION - 1,666
  • AUTH FAIL - 1635
  • CEASE - 11
  • BAD AS - 20
  • NOTIFICATION ONLY - 84
  • AUTH FAIL - 1
  • CEASE - 83
  • RST - 264
  • Connect (No Data) - 2,147

7
Admin Port Reachability (by Country)
Country Total Probed Routers Percentage Admin Reachable
Maldives 10 0
Gibraltar 16 0
Iceland 34 2.94
Kazakstan 80 3.75
Fiji 23 4.35
USA 56481 14.22
Average -- 14.5
Canada 4555 15.32
Kyrgyzstan 19 52.63
French Polynesia 12 58.33
Tanzania 10 60
Uzbekistan 25 68
Bahamas 15 73
Several countries had either 100 of their
routers accessible or 0 but were not counted
since there were less than 10 routers probed in
each of these countries. Honorable
Mentions Spain - 878 (5.13) France - 1820
(6.48) Great Britain - 4005 (7.72)
8
Next Steps
  • Accept as a working group item?
  • Doc needs more review

Thanks!
Write a Comment
User Comments (0)
About PowerShow.com