Securing BGP

Feb 25, 2022

If your company is BGP speaking and announcing public prefix’s to your ISP(s), then you should be securing your BGP peering’s, this is one of the defense in depth steps that should be taken to ensure that you’re public IP prefix’s are not hijacked and redirected to a malicious actor.

One example would be you owning and announcing the IP block 133.32.95.0/24, all your public/internet facing servers have an IP address allocated in this range which allows the general internet users to access your servers, most likely HTTP/S web servers. You are advertising 133.32.95.0/24 to your upstream ISP via a BGP peering, which then your ISP announces that prefix to the world. A malicious actor on the other side of the world configures their router and BGP ISP peering to start adverting 133.32.95.0/24 as maybe countries ISP’s aren’t as strict and allow for any prefix to be learnt from a customer. Within that hijackers region, the 133.32.95.0/24 traffic will routed to the malicious actor, as it’s a lower cost/metric within that region. General public traffic to 133.32.95.0/24 is now routed to the malicious actors’ servers allowing them to potentially compromise hosts.

There are several ways to migrate such an attack covered below

1.       IRR and RPKI, IRR or Internet Routing Registry a mechanism for validating the contents of BGP announcement messages or mapping an origin AS number to a list of networks, though IRR is somewhat deprecated by RPKI which are Resource Public Key Infrastructure (RPKI) is a cryptographic method of signing records that associate a BGP route announcement(prefixes) with the correct originating AS number. This may sound complicated but RIR’s such as APNIC have a easy to enable on their portal. Link below gives details on how to enable RPKI.

https://blog.apnic.net/2019/09/11/how-to-creating-rpki-roas-in-myapnic/

2.       Best practice is to enable Infrastructure ACLs on your internet facing connection to your ISP and only permitting a BGP peering to your upstream ISP IP. This will potently stop any malicious BGP peering attempts or any BGP security vulnerabilities attacks. Cisco site below has examples on this topic.

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/43920-iacl.html

3.       Another BGP security feature is to use BGP MD5 Passwords/Authentication, like Infrastructure ACLs, this would stop a malicious peering attempt on your BGP routers.

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/112188-configure-md5-bgp-00.html

Sometimes setting up BGP is hard and securing BGP is often forgotten or put in the "too hard basket" but most of the topics above are relative easy to configure and will only strengthen your cyber security posture. The NSA has a document covering more BGP security topics which should help you secure your network.

https://www.nsa.gov/portals/75/documents/what-we-do/cybersecurity/professional-resources/ctr-guide-to-border-gateway-protocol-best-practices.pdf