In an article in Wired (Flaw Could Cripple Entire Net) Paul Watson is said to claim that he can reset TCP sessions " with as few as four attempts". I have a hard time believing this, but we'll have to see thursday, when all will be revealed. An attacker still needs to know the IP addresses for both sides and the appropriate TTL (simple) and the port numbers used on both sides. The latter may or may not be trivial: routers typically start using ephemeral ports at a fixed number after booting, so for the first few BGP sessions this should be relatively easy to guess. However, a router that has been running for a while and has lots of BGP sessions (which is common on internet exchanges), these port numbers are well randomized within the range used by the system, which is typically at least 4000 ports.
So if Paul Watson is correct it may be possible to reset sessions with less than a hundred to a few thousand packets. This takes only moments. If he isn't, but the router has few BGP sessions, port numbers are easily guess-able and the default window size of a little less than 16k makes it possible to reset sessions with about 250 thousand packets per port combination, which is in line with reports that people were able to do this in the lab within about half an hour. This is short enough to incur flap dampening difficulties if it happens repeatedly.
So what can we do?
The MD5 option is also a double edged sword because it opens the door to CPU exhaustion based denial of service attacks. In theory the crypto should only be done when the packet passes all regular TCP checks, but in reality this isn't the case so making the CPU burn cycles on MD5 hashing should be easier to do for an attacker than sending a successful RST. Based on the information I have right now, I believe the upsides of having MD5 on peering sessions with relatively small peers over exchanges don't outweigh the downsides, as the work and the MD5 DoS risks are the same for small peers, but the damage when a session breaks is fairly negligible.
For very large peers and especially transit connections, the situation is different: the instability caused by session resets can be significant, so MD5 is a good idea here.
! interface gigabit3/0 hold-queue 2048 in ! router bgp 12345 timers bgp 1 180 !
Lines in a Cisco access list for filtering BGP TCP RSTs look like this:
access-list 123 deny tcp any any eq bgp rst log-input access-list 123 deny tcp any eq bgp any rst log-input(Note that some legitimate hits are possible if a BGP session is only configured on one router.)
These must be applied on input on interfaces that may received spoofed RSTs (i.e., external connections, but also customer facing connections if those don't have proper anti-spoofing filters). The log-input keyword makes sure the interface and sometimes the MAC address of the system that sent the offending packet are logged. This is very useful on shared/switched media interfaces such as internet exchanges. Don't worry about overwhelming the router with logging information too much, as this is rate limited. (However, having log-input in place when a full-fledged DoS attack is in progress isn't advisable either.)
The referrer log for this site can be interesting reading at times. It seems several people have landed here when looking for information for the BGP TCP MD5 option and IPv6. Despite the fact that RFC 2385 doesn't mention IPv6, it's possible to have an MD5 password on IPv6 BGP sessions. At least, it is in recent IOS versions. I have a very old one that allows this to configured but it doesn't compute the checksum correctly. I assume this is particular to this specific version (from 1999), though.
Someone else seemed interested in BGP and Apple. Good news: under Panther, Zebra 0.94 compiles without trouble, so it's possible to run BGP on a Mac. Juguar/Zebra 0.93b didn't work for me.
Permalink - posted 2004-04-21
Rumors have been floating around for days, as the referrer log for this site shows large numbers of people looking for "BGP hack" and "BGP MD5". But the cat is out of the bag now:
NISCC Vulnerability Advisory 236929
Please see the page linked above for detailed information. The short version is that TCP sequence numbers turn out much easier to guess than assumed until now, which makes long-lived TCP sessions vulnerable to reset attacks. Since BGP sessions can remain for days, weeks or even months, and other pertinent information is relatively easy to find, BGP is the protocol most affected by this vulnerability.
Fortunately, the BGP TCP MD5 option protects against exactly this problem. Enable it if at all possible. Most, if not all, routers support it. The option is enabled on Cisco routers as follows:
! router bgp 12345 neighbor 192.168.0.1 password use-upto-80-characters !
However, this will break any running BGP sessions so coordinate the change closely with the remote AS.
Since this mechanism operates at the TCP level, host-based routers such as Zebra or Quagga running on BSD or Linux typically don't support this option. However, there is some rudimentary support in both OSes, see the SANS advisory.
Note: The "BGP TTL hack" or GTSM (see below or above) also offers protection against the TCP vulnerability, without adding the MD5 crypto overhead. And good anti-spoofing filters do the same, but the problem there is that the other AS also needs to implement them, something that can't be assumed.
It seems the actual risks aren't as bad as the reports seem to indicate at first glance. I'll post a more detailed analysis later, but from discussions on NANOG it seems the only new aspect is that previously people didn't realize that the RST packet could have any sequence number that falls inside the receive window on the potential victim, which is often around 16k. This means the attacker only has to guess the first 18 bits of the sequence number rather than the full 32 bits. However, she also needs to guess both port numbers, which makes the number of possible combinations an attacker must try around a billion, which amounts to a DoS attack of 10000 packets per second for more than a day.
Permalink - posted 2004-04-20
At the NANOG 26 meeting in october 2002, Dave Meyer presented a very simple proposal to protect BGP sessions against attacks: set the TTL to 255 on outgoing packets, and check whether the TTL in received packets is equal to 255. Since routers always lower the Time To Live (or Hop Limit in IPv6) when forwarding a packet, and routers discard packets with a TTL of 0, there is no way for anyone who isn't attached to the subnet in question to inject packets with a TTL of 255 into a subnet. RFC3682 was published in february and describes the details of the "Generalized TTL Security Mechanism (GTSM)".
Cisco has now included GTSM into IOS release 12.3(7)T, as explained in the feature guide. It seems there are some interesting caveats. First of all, Cisco states that enabling the feature using the neighbor ... ttl-security command will only enable the check for incoming packets and not change any behavior as to outgoing packets. So this must mean they always use a TTL of 255 for outgoing packets now. However, older IOS versions set the TTL for BGP packets to 1 (in the absence of any ebgp-multihop settings). If this is the case, then detecting whether a neighbor is directly connected won't be very reliable right now. Then again, Cisco says the feature must be configured on both ends of an eBGP session (no support for iBGP as of yet) which seems to contradict this.
Another thing is that they look for a TTL of 254 or higher. This suggests that for incoming packets with a TTL of 255, they first decrease the TTL and then go on to process the TCP segment. Again, this is not how things work in older IOS versions, as it's perfectly possible to set the TTL to 0 and still interact with a Cisco router on the local subnet. So unless something changed in this regard as well, accepting a TTL of 254 means that there can still be a router in between!
Note that this mechanism only offers protection against attacks on port 179 of a router from "far away". Anyone on the local subnets still gets to do whatever they please and the content of the BGP sessions isn't protected any better than before.
Permalink - posted 2004-04-08
It has been a while since the last news posting. My apologies for that. Here is something to hold you over until I can find some real news:
When perusing the HTTP referrer log, I noticed that a lot of people are finding this site in search of "bgp+2500" or something similar. So... is it possible to run BGP on a Cisco 2500 router?
The short answer is "yes". The IOS images for the 2500 support BGP, including BGP for IPv6. (They do not, however, support OSPF for IPv6 even though OSPF for IPv4 is supported and the "ipv6 router ospf" command may exist. Same thing for IS-IS: the command exists, but the protocol isn't present in any of the 2500 images.)
The slightly longer answer is that a 2500 is of limited use for inter-domain routing. Actually way back when I got started with BGP I used a 2514 with 16 MB RAM and it could hold the entire 35000 or so entry global routing table. From two upstreams even, if I remember correctly. However, in the mean time the global routing table has gotten four times as big, and the 2500's memory limit is still 16 MB. The fact that the 2500 series sports a 68030 CPU doesn't really help either. All of this means that you can only run BGP on a 2500 if you don't send it more than a few thousand routes. You also shouldn't send it a full feed and have the 2500 filter out the unwanted routes, as this will tax the CPU too much and make for many-minute convergence times.
Note that even 35000 routes wouldn't work anymore today, as modern IOS images need a lot more memory for their internal house keeping. On bigger routers it gets even worse because unlike the 2500, those can't run their software from flash, so it must be copied to RAM. Additionally, the switching path of choice is CEF these days, which takes a lot of memory. (Without CEF you'll be using fast switching which uses just as much memory but only when needed, so it's not only the CPU that melts down but you also run out of memory when a slammer-like worm hits.)
So you may be able to get away with a full table on a Cisco with 128 MB RAM (or you may not), but 256 MB gives you much more elbow room. Unfortunately, Cisco still makes boxes that can run BGP but won't take enough memory to do so properly. A good example are the 3550 series multilayer switches.
Permalink - posted 2004-03-31
IPv6-enabled operating systems such as Windows, Linux and FreeBSD all come with a web browser that also supports IPv6 and prefers IPv6 when both IPv4 is available. Things are slightly different with Safari, Apple's browser application. Initially, Safari only supported literal IPv6 addresses and some corner case DNS names. In the current version, Safari will do IPv6 if no IPv4 address is available, but it won't prefer IPv6 over IPv4 or fall back to IPv6 when IPv4 doesn't work.
However, Nicholas Humfrey has come up with a trick. By enabling Safari's debug mode and switch off one of the two HTTP loaders that are normally used, Safari will prefer IPv6 when it's available. See the Mac OS X hints article that Nick posted for the details.
Permalink - posted 2004-01-28