BGP Security Tips (updated)
- Tony Mattke
- Networking
- August 11, 2009
For some, BGP is a rather large obtrusive beast of a protocol that scares them half to death. This is not without good reason as BGP is not only the most important protocol running on your network, but it is also one of the most targeted routing protocols in terms of malicious attacks. The majority of BGP attacks are based around the pretense of flooding your network with false prefixes to direct interesting traffic to destinations where the traffic can be sniffed / recorded.
The following tips are simple measure to help mitigate against such nasty things.
- Setup maximum-prefix to limit the number of prefixes allowed. This could help avoid your router becoming overloaded by a single peer. *
- Use ACLs to limit BGP packets from only actual peers.
- Use MD5 authentication on BGP peers.
- Deny Updates that inlcude private ASNs in the path.
- Limit maximum length on AS path. *
- Limit TTL on BGP packets.
* When using this method it is possible to end up missing data from the routing table. Use at your own risk
Obviously these guidelines will not prevent you from falling prey to every BGP attack known to man, but they can seriously help prevent all but the most dedicated individuals. If you have any tips you would like me to include please feel free to leave a comment below.
Update: Recent versions of Cisco IOS Software support RFC4893 (4byte ASN) and contain two remote denial of service (DoS) vulnerabilities when handling specific BGP updates. These vulnerabilities affect only devices running devices running Cisco IOS versions with support for 4byte AS number space and BGP configured.
The first vulnerability could cause an affected device to reload when processing a BGP update that contains autonomous system (AS) path segments made up of more than one thousand autonomous systems. The second vulnerability could cause an affected device to reload when the affected device processes a malformed BGP update that has been crafted to trigger the issue.
Cisco has presented a work around for the second issue. They are recommending setting bgp maxas-limit to a conservative value of 100 to mitigate this vulnerability.
Cisco’s advisory can be found here .