Some of us may already be aware of the lesser-known (or at least lesser talked about) BGP protocol, but if you're like me, you have at best an aquainted relationship with it. If you don't know anything about BGP, you're in luck, as that is exactly what I'll be overviewing today. If you know what BGP is, but haven't grasped how it applies to security, then keep reading as I'll be covering that as well. Keep in mind, BGP is a highly complex protocol and entire books have been written on the subject. This is a high-level overview of BGP in relation to security. If you are looking for a detailed look at BGP, you might want to check out the RFC.
What is BGP
The Border Gateway Protocol (BGP) is the primary routing protocol of the Internet. BGP is a dynamic routing protocol, and unlike most others does not use a UDP port for communication. Instead, BGP interacts with peers on TCP port 179 by default. The primary purpose of BGP is to connect autonomous systems (AS) around the world. In other words, BGP is the reason the internet is, well, inter-networked. Before I go any further, some of you might be asking yourself what specifically constitues an autonomous system on the internet. So, let's get into that.
"Within the Internet, an autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the Internet." - https://en.wikipedia.org/wiki/Autonomous_system_(Internet)
In other words, an autonomous system on the Internet is an organization of internally networked IP addresses under a single technical administration. Typically this means an ISP or very large organization such as Twitter or Google. In certain cases, multiple large organizations can connect to an ISP which connects all those organizations to the internet. The Internet Assigned Numbers Authority (IANA) assigns blocks of ASNs to Regional Internet Registries (RIR). The RIR is responsible for assigning a unique Autonomous System Number (ASN) to each AS within it's designated area. An ASN is essentially a network or organization's unique ID number, like a SSN. We could easily delve deeper down the rabbit-hole getting into the different types of autonomous systems and how they interact, but we would promptly find ourselves much deeper then we intended to go. Let's move on.
So basically, BGP allows traffic to be routed between large organizations, ISPs, and networks across the globe in order to create the inter-connected world we've grown to know so well. It essentially paves the shortest path through the internet possible by selecting a route that traverses the least amount of autonomous systems. Each BGP router will retrieve a list of internet routes from it's neighbors, and it will use this list in deciding the best routes to travel. Routers will 'advertise' their routes to their neighbors -- letting them know when a change has been made. When looking at it from that perspective, a BGP router is no different then any other router; It finds the quickest route to a destination.
So, say you want to visit facebook.com. First you fire up your browser, then you type facebook.com into the search bar or URL, and then voila! You're at facebook.com. Simple right? Well there's a little more to it. Most of you probably already know that a DNS server is responsible for finding the actual IP address associated with facebook.com. That's nothing new. However, in order to actually find a route to that IP address, a router belonging to your ISP will refer to a BGP table looking for the destination IP address, and find the quickest avenue to said address. In some cases, there may be more then one autonomous system which delivers traffic to the address. If this is the case, the more specific prefix will be the route in which the traffic goes. So if one AS advertises that it delivers to 100,000 IP address, and another AS advertises a smaller subset of that range, the traffic will go to the smaller subset.
Why Should I Care?
Most of the time you don't hear people talking about BGP vulnerabilties or exploits, but that doesn't mean there aren't any. As BGP is critical for the functionality of the Internet at large, any misconfigurations -- intentional or otherwise -- can have some pretty serious effects on a global scale. In 2008, for example, a Pakistan telecommunications company managed to sinkhole Youtube, effectively preventing the entire world from viewing cat videos for a couple hours. Evidentally, Pakistan didn't agree with some of the offensive material on Youtube and in response attempted to null-route all Youtube traffic for Pakistan into a blackhole. Think of it as aliasing a malicious site to 127.0.0.1 in your hosts file. In this particular case, the problem was fixed somewhat quickly as everyone in the world who tried to visit Youtube found themselves in a black hole. However, imagine if traffic was redirected somewhere it shouldn't, and then routed to the appropriate destination? What we would have is effectively a global MITM which could go unnoticed for months.
With the information we've learned so far, it's not terribly far-fetched to come up with ideas on how an attacker could hijack Internet traffic this way. Theoretically, all one would need is a BGP router. If an attacker with a BGP router advertised an IP block he wished to target which was smaller then ranges advertised by other BGP routers, the advertisement would propogate and soon all traffic pertaining to said IP block would be redirected through the attackers router.
But Why Should I Care?
Obviously collective humanity should care about the stability and security of BGP if we don't want an entire country's traffic to get routed through malicious entities, but how can I use BGP to my advantage? Let's go back to talking about ASNs. If you remember, an ASN is a uniquely identifying number which each autonomous system on the internet gets assigned. After learning a little about BGP I began to wonder if there were any information gathering implications? Turns out, there is. Let's say I wanted to find a particular ASN associated with an organization. How would I do that? There are a few ways to do this actually.
whois -h whois.cymru.com 220.127.116.11
AS | IP | AS Name
24940 | 18.104.22.168 | HETZNER-AS, DE
So here we query a certain whois server for the AS number to which 22.214.171.124 belongs. In this case we can see this IP address is owned by Hetzner-AS in Germany. Neat. What if we wanted to get less specific? This is where I utilize MaxMind's ASN databse - download.
cat GeoIPASNum2.csv |grep -i twitter |sed 's/"//g' |cut -d, -f3 |sort -u
AS13414 Twitter Inc.
AS35995 Twitter Inc.
In this example we've looked up all the ASNs belonging to Twitter. As we can see, Twitter has two different unique ASNs, which means it owns two autonomous systems on the internet. Now, in order to look up the associated IP blocks we just need to query the right server.
whois -h whois.radb.net -- '-i origin AS13414' |grep route:
Cool right? Not a bad way to quickly find all IP blocks owned by an organization. You don't need to stretch your imagination too far to see how this could be useful when planning to infiltrate a network. Keep in mind these are just blocks of IP addresses. Not all of them will be live.
Hopefully you've learned some things you didn't know previously. I certainly learned a few things while writing this article. To finish everything up I wrote a small script which automates the process of looking up an ASN and returning the IP block. All you need to do is pass it an organization you'd like to look up.