Vulnerabilities / Threats
8/5/2015
01:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Securing BGP Not As Difficult As You'd Think

But few service providers and organizations bother to deploy security for BGP, security expert says.

BLACK HAT USA -- Las Vegas -- The Internet's Border Gateway Protocol (BGP) seems to be the new darling of hackers and nation-states, but BGP expert Wim Remes says BGP abuse is nothing new -- and securing it is actually fairly simple.

"I think the biggest issue is the understanding of trust on the Internet," says Remes, EMEA strategic services manager at Rapid7. Remes says there are basic ways to lock down the security of BGP, but not many service providers or organizations are doing it.  

"These security technologies for BGP work very well, they are inexpensive to implement, and there's no incentive for ASN owners to implement them," says Remes, who here today outlined BGP security options in his State of BGP Security session.

But Remes says the big overarching issue today is trust on the Internet, which boiled over after Edward Snowden's leak of controversial NSA surveillance practices. 

Meantime, cybercriminals as well as nation-states increasingly have abused the Internet's underlying BGP traffic-routing fabric to hijack or disrupt networks for profit or political reasons. BGP can be abused via router impersonation, distributed denial of service attacks, and traffic hijacking.

OpenDNS's Dan Hubbard here this week will launch a new free tool called BGP Stream that tweets out alerts on suspicious BGP/Autonomous System Number (ASN) updates and changes so network owners, ISPs, and hosting providers can keep abreast of malicious network changes that could hijack or otherwise disrupt their traffic. Hubbard, OpenDNS's CTO, says BGP "the new black" in the attackers' arsenal.

Rapid7's Remes recommends BGP monitoring, plus hardening BGP routers and the systems used to configure and monitor BPG infrastructure as well as "strict access control" to those systems.

Deploying Resource Public Key Infrastructure (RPKI) for BGP routing is another obvious security option, according to Remes. RPKI validates that route assignments came from a legitimate source rather than a malicious one, thus preventing re-routing of traffic to malicious destinations. Remes says implementing RPKI is inexpensive, and fairly simple. "When a router receives updates, they are signed" by local regional registries, he says.

It takes less than 15 minutes to deploy the open-source RPKI validator software from RIPE, he notes.

ISPs as well as other large organizations could adopt it, he says. RPKI provides validation much like DNSSec does for DNS traffic. RPKI also lets you "create different levels of trust between yourself and your peers," he says.

BGP monitoring is another easy and useful practice, he says. The University of Colorado, for instance, gathers and monitors BGP traffic and offer a real-time stream of BGP events. Hurricane Electric runs a BGP dashboard and dataset for tracking BGP issues, and CYMRU also monitors BGP  traffic.

Luxembourg-based CERT CIRCL runs the BGP Ranking project, which correlates BGP data with malicious activity such as malware and IP blacklists.

"There's more than enough BGP data available," Remes says.

So what should enterprises do about BGP security? "Understand which assets you own … monitor your own ASNs, or [cloud-based ones]," he says. "Someone could be targeting you or your service you rely on," so it helps to track the BGP traffic, he says.

But adoption of RPKI stands at only about 7 percent, Remes says, and it won't even reach 50 percent until 2020, according to RIPE estimates. That's not good enough, according to Remes:  "ASN owners should aspire to do better than that."

Black Hat USA is happening! Check it out here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.