Routing

BGP Security Tips (updated)

Tony Mattke · 2009.08.11 · 2 min read

For some, BGP is a rather large obtrusive beast of a protocol that scares them half to death. This is not without good reason as BGP is not only the most important protocol running on your network, but it is also one of the most targeted routing protocols in terms of malicious attacks. The majority of BGP attacks are based around the pretense of flooding your network with false prefixes to direct interesting traffic to destinations where the traffic can be sniffed / recorded.

The following tips are simple measure to help mitigate against such nasty things.

  1. Setup maximum-prefix to limit the number of prefixes allowed. This could help avoid your router becoming overloaded by a single peer. *
  2. Use ACLs to limit BGP packets from only actual peers.
  3. Use MD5 authentication on BGP peers.
  4. Deny Updates that inlcude private ASNs in the path.
  5. Limit maximum length on AS path. *
  6. Limit TTL on BGP packets.

* When using this method it is possible to end up missing data from the routing table. Use at your own risk

Obviously these guidelines will not prevent you from falling prey to every BGP attack known to man, but they can seriously help prevent all but the most dedicated individuals. If you have any tips you would like me to include please feel free to leave a comment below.

Update: Recent versions of Cisco IOS Software support RFC4893 (4byte ASN) and contain two remote denial of service (DoS) vulnerabilities when handling specific BGP updates. These vulnerabilities affect only devices running devices running Cisco IOS versions with support for 4byte AS number space and BGP configured.

The first vulnerability could cause an affected device to reload when processing a BGP update that contains autonomous system (AS) path segments made up of more than one thousand autonomous systems. The second vulnerability could cause an affected device to reload when the affected device processes a malformed BGP update that has been crafted to trigger the issue.

Cisco has presented a work around for the second issue. They are recommending setting bgp maxas-limit to a conservative value of 100 to mitigate this vulnerability.

Cisco’s advisory can be found here.

More in Routing
Tags :
comments powered by Disqus

Related Posts

Switching

QinQ: IEEE 802.1Q Tunneling

In situations where service providers want to offer transparent LAN services that preserve a customers VLAN tags across your Layer-2 network, this amendment to the IEEE 802.

2012.04.19 · 3 min
Security

Time-based ACLs

Ever since Cisco released IOS 12.0.1T we’ve had the ability to broaden the reach of the extended ACL to allow the influence of time.

2011.04.25 · 2 min
Homelab & Misc

Binary Metal Guitar

Thank you Ed Koczan for sharing the video that led me to find this video. It’s a national treasure for those of us that appreciate binary.

2015.02.03 · 1 min