Home » Routing » BGP » BGP Security

BGP Security

BGP is a critical component of the internet, bring BGP down and you bring the internet down or at least large portions of the internet. The problem is that BGP is highly vulnerable to many types of attacks for its implementation.

BGP runs over TCP on port 179 and inherits all types of TCP common attacks like replay, man-in-the-middle or DOS attacks. Also BGP is an application has its unique set of attacks against its implementation and messages.

If you want to know how sever an attack against BGP can be check out the six worst internet routing attacks.

A lot of efforts and projects is currently going to solve those known vulnerabilities of BGP and to provide more secure and stable internet. Some of them are hold by governments, research centers or even internet communities. The secure BGP project (S-BGP) and (SO-BGP ) are examples.

However, to be realistic none of these is going to be widely implemented or deployed soon and I believe it will take years from now to have such transition. unfortunately until we see that day of the S-BGP or something else like that we have to harden our BGP peering sessions ourselves.

Below are some tips

  • First of all harden your router. Make sure no unauthorized on can ever gain access to your network equipment or you may easily find yourself the source of the next internet attack.
  • Make sure your addresses allocation information, peering information, passwords, etc is updated in the internet registries databases. Some Tier1 providers use this information to enforce security policies.
  • Always use MD5 authentication for establishing your peering relationship sessions. This will protect you against most of  TCP attacks or at least makes it a lot harder for the attacker.
  • Always be specific in your routing policies. Make sure you are accepting and advertising the right information through hard coded routing policies and never leave it to chance.
  • Make sure that your are receiving and advertising what you expect specially from your customers. You can also use features like maximum prefix limits and maximum AS-Path limits which will protect you and your customer speacially from human mistakes like your customer makes him self  transient when multihoming.
  • Finally do your normal housekeeping. Keep your eye on your BGP, use logging and monitoring tools and be proactive for any abnormal behaviors or statistics related to your internet routing.

Happy Networking :)

2 comments

  1. Most important: filter BGP updates from your customers against the address space you know they own and make sure the AS-path they advertise is correct (and no longer than X copies of their own AS number).

    This simple measure would solve 95+% of the problems we see with BGP.

    As for SBGP and SOBGP: it will not happen any time soon (and probably never) and here’s why:

    http://blog.ioshints.info/2010/03/secure-bgp.html

  2. Great posts and I’m agreement with everything you’ve said. Here’s a white paper that myself and some peers here at Cisco put together that details how a number of these hardening and best practice recommendations can be implemented (on Cisco routers): http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html.

Leave a Reply

Your email address will not be published. Required fields are marked *