Today we are going to talk about an essential protocol for internet communications, as it facilitates the exchange of information over IP networks and communication between autonomous systems: the Border Gateway Protocol.
This is a very interesting protocol that is worth talking about in detail and explaining in depth how we can attack it, so I will divide the post into two parts.
At first glance it may seem like a simple protocol, but it is actually a bit more complicated to understand. Therefore, before continuing with the vulnerabilities, I recommend you watch this short video from TechTarget on how the protocol works:
Now let’s see how to detect the BGP protocol.
BGP detection
The first thing to do if we want to check if there is a BGP service on the network is to run the netstat command to see what is listening. In this case we see several BGP processes:
Let’s check which processes are running in the background. We look at crontab and see that a script is running every 10 minutes. This script for the “quagga” program, kills the “vtysh” process, restores two configuration files (“zebra.conf” and “bgpd.conf“) and restarts “quagga“.
Let’s look at that zebra.conf file. It looks like a cisco configuration file:
On the other hand, in bgpd.conf we have a set of BGP commands:
We can run the vtsysh program and see that when we run it we get a console similar to the CISCO one. We can see the configuration by executing the following commands:
We can see that the BGP configuration is reverted every 10 minutes, we see 3 different BGP routers… So we can try some kind of BGP attack, specifically a BGP hijacking.
Let’s talk a bit about this kind of attacks.
BGP Hijacking
BGP hijacking consists of corrupting the routing tables of the Internet, modifying the direction of traffic in order to monitor, intercept, or delete it (black holing). It is also used to redirect to fake websites.
In recent years, there have been several reports of BGP hijacking attacks. For example, in 2018, attackers redirected traffic from myetherwallet, a popular interface for managing and holding Ethereum cryptocurrencies, to a Russian server. In doing so, they obtained assets valued at $152,000. You can find more information about this article here.
Let’s try to show how to perform a similar attack on the network we are on.
According to this configuration, we are router 100, and our neighbours are 200 and 300. Let’s draw a diagram to make it clear:
It was previously discovered on this machine that there was an FTP service on ip 10.120.15.10. If we type the command “show ip route 10.120.15.10“, it shows us the route that goes to this IP.
Therefore, we can update the scheme by adding the FTP service, and us as attackers:
This is the scenario from which we start our BGP attack. First, let’s assume that AS-200 and AS-300 are connected, and that there is someone on AS-200:
It’s a bit complicated to understand, let’s try to summarise our theory:
What we think is happening is that a user who will be on AS-200 is connecting to FTP, and we want to find out his login credentials, but the packet does not go through us but goes from AS-200 straight to AS-300. However, we can do a BGP hijacking attack so that we announce on our AS-100 router that we have a faster route to go to the FTP service, and that way AS-200 sends the packet to us instead of to AS-300 believing that it will be faster.
BGP Attacks on Twitter
There is a Twitter account that exposes information every time a BGP hijacking attack occurs:
This automatic account displays information from bgpstream.com, a CISCO site that displays both hijacking attacks and service outages in real time.
Obtaining information via BGP
The first thing we must do to perform the attack is to obtain information through BGP:
We can show a summary of the network, showing the neighbours, by means of the command show ip bgp summary (it is not necessary to write the whole command, for example here it is enough to write sh so that it understands that it is the show command, this is how it works in cisco):
To see everything, we can use the command “show ip bgp“:
Each * is a route, the empty lines indicate that the previous set of ips is repeated, and the > character indicates which is the preferred route.
So, for example for the network 10.110.10.0/24, the preferred route to go to the AS-100, which is where we are, is through the AS-200. But it could also go to the AS-300, from there to the AS-200 and finally to the AS-100.
If we want to see more details of a particular route, we can use the command “show ip bgp <red>“. For example, let’s see the details of the subnet containing the IP with the FTP:
We can also see all the routes that a router advertises, by typing “show ip neighbors <ip> advertised-routes“.
What we are going to do in the BGP attack is to announce from the router that we control (AS-100) a route for the FTP service of the ip 10.120.15.10.
We already have the information and we have structured the attack. In the next post we will see how to perform a BGP hijacking step by step starting from the scenario we have presented today. Don’t miss the next post to find out how!
Lethani.
1 thought on “Infrastructure Hacking: BGP Protocol I”