BGP TCP Reset Attack

Compared to attacks against end hosts, denial of service (DoS) attacks against the Internet infrastructure such as those targeted at routers can be more devastating due to their global impact. Recent discoveries are shown that low-rate TCP-targeted DoS attacks can have severe impact on BGP. As the inter domain routing protocol on today’s Internet, BGP is the critical infrastructure for exchanging reachability information across the global Internet. BGP routing sessions on the current Commercial and open source routers are susceptible to such low-rate attacks launched remotely, leading to session resets and delayed routing convergence, seriously impacting routing stability and network reachability. This is a result of a fundamental weakness with today’s deployed routing protocols there is often no protection in the form of guaranteed bandwidth for routing traffic.

Attack vectors

This attack uses fundamental susceptibility of TCP to low rate attacks due to its deterministic retransmission timeout mechanism, any application using TCP is vulnerable. In particular, the effect on protocols using TCP within the Internet infrastructure is arguably more severe due to the global scope of the impact. There is two potential impacts of such type of attacks one is on throughput of BGP packets, and second reset BGP routing session in result of sufficiently large number of consecutive packet drops,

If attacker succeed, this can have serious impact on the Internet in the form of routing instability, unreachable destinations, if attacker can do this several time and BGP dampening is enabled on BGP neighbors this could lead to very large downtime for this particular AS. Attacker can launch attack remotely from end hosts without access to routers nor the ability to send traffic directly to them. Its low-rate nature makes detection inherently difficult. More importantly, the existing best common practice for protecting the Internet routing infrastructure by disallowing access and research proposals such as SBGP are not sufficient to prevent this type of low-rate attack.

The attacker can bring down the targeted BGP session within as little time as 216 seconds. Session reset probability can be as high as 30% with only 42% utilization of the bottleneck link capacity. And when the session is not reset, BGP table transfer duration can be increased from 85 seconds up to an hour with only 27% of the link capacity used.

Untitled

On the above figure the attacker send Low rate TCP packets with spoofed source to some of the BGP peers in order to reset BGP session between them.

What is the key factors that lead to this vulnerability of BGP to such types of attacks?

Priority of routing traffic

The one of key factors is that router traffic may not be sufficiently protected from congestion caused by other data traffic. Many of the commercial routers today by default use FIFO or Drop Tail queuing discipline giving no priority to routing packets. Even in the case where routing data are protected through the RED queue management scheme, there are no default policing mechanisms to prevent attack with packets with spoofed source of higher priority. For example many routers will mark the routing packets with an IP precedence values of 6. However, attack packets can also use the same or even higher IP precedence values given the lack of authentication for such values by default. Packet remarking needs to be configured for protection to be effective.

Proprietary router implementation

Router behavior is much less understood compared to that of end hosts due to its proprietary nature and lack of source code access. For example, it is unclear how the TCP stack on commercial routers really behaves. Unlike for end-hosts, critical parameters to the attack such as minRTO are unknown, making successful attacks much more difficult. If minRTO is randomized, it would further reduce the probability of a session reset. Even with known router behavior, depending on its configuration, its dynamic behavior may be quite different compared to the default settings.  The main focus is on the default settings as most routers are probably set up with such configurations. When we know that the router supports certain features that would help protect against the low-rate attacks.

Capacity of peering links

In order for low-rate TCP attacks to be successful against BGP routing sessions, the traffic burst needs to be sufficiently powerful to cause enough packet loss, so that the TCP flow of the BGP session enters into retransmission timeout state. This may appear to be difficult for attacker to achieve, especially for BGP session involving Internet core backbone links given the heavily over provisioned

core. However , eBGP session involve peering links which may not be as well-provisioned compared to links within an ISP backbone , There has been anecdotal evidence that congestion often occurs on peering links .

Mitigations

To defectively protect against such type of attacks we can use at lease two countermeasures

  • QoS who can prioritize the sensitive BGP traffic into special queue this will help us to protect BGP packets but without further protection like IACL and QoS boundaries where we will not trust the markings and overwrite IP precedence and DSCP values of the packets this will not help so much
  • Infrastructure ACL we should permit traffic only from legitimate source to the BGP process
  • Establishing QoS trust boundaries