Routing Protocols: OSPF and BGP in Network Security

Routing Protocols: OSPF & BGP in Network Security Group Members: Ankita Smruti Ranjan Dash

Introduction to Routing Protocols Types of Routing Protocols Overview of OSPF and BGP TABLE OF CONTENT Case Study 1 BGP Hijacking Exploring Vulnerabilites in BGP Conditions for successful BGP Attacks Case Study 2 OSPF Vulnerability Future Trends for Routing Protocols Conclusion

Introduction to Routing Protocols Rules and standards that determine how routers communicate with each other to share information about network reachability. Enable the dynamic exchange of routing information, allowing routers to update their routing tables and choose the best paths for forwarding packets across networks.

Types of Routing Protocols Exterior Gateway Protocols (EGP): Used for routing between different autonomous systems. Example: BGP (Border Gateway Protocol). Interior Gateway Protocols (IGP): Used within a single organization. Example: OSPF (Open Shortest Path First).

Overview of OSPF A routing protocol that uses a Link State Routing (LSR) algorithm. It operates as an Interior Gateway Protocol (IGP) within a single Autonomous System (AS). Each router has a complete view of the network's topology and calculates the best routeindependently using Dijkstra s algorithm. Detects changes in the network (e.g., link failures) and quickly recalculates a new, loop-free routing path. Dijkstra's algorithm to find the shortest path betweenaandb. It picks the unvisited vertex with the lowest distance, calculates the distance through it to each unvisited neighbor, and updates the neighbor's distance if smaller. Mark visited (set to red) when done with neighbors.

Overview of BGP Standardized Exterior Gateway Protocol (EGP) for exchanging routing and reachability information between Autonomous Systems (AS) on the internet. Operates as a path-vector routing protocol, making routing decisions based on paths, network policies, or administrator-defined rule sets. BGP peer uses a Finite State Machine (FSM) with 6 states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established, to manage peer-to-peer sessions. Path-vector routing ensures that updates looping through the network are detected and discarded to avoid routing issues.

Case Study 1 - BGP Hijacking Event: In 2010, Pakistan Telecom mistakenly redirected YouTube traffic. Outcome: This led to a significant global outage for a major online service. Cause: The issue stemmed from blindly trusting BGP advertisements, which allowed incorrect routing information to propagate without sufficient verification. Impact: It revealed vulnerabilities in routing protocols across the internet. Could be considered as aninadvertent DOS attack onYouTube.

Continued from previous slide.. This picture illustrates the traffic for YouTube that was supposed to route to 36561 (ASN of YouTube, highlighted with red in the left) was getting directed to 17557 (ASN for Pakistan Telecom, highlighted with red in the right).

Exploring Vulnerabilities in BGP Common Attacks BGP Hijacking Attackers seize control by falsely claiming IP addresses, stealthily rerouting traffic through their network. Route Leaks Incorrectly sharing routes from one provider to another, causing traffic to flow down unintended paths. Impact: Can result in significant traffic diversion, data theft, or service disruption. https://www.cloudflare.com/learning/security/glossary/bgp-hijacking/ https://networklessons.com/bgp/bgp-route-leaking

Conditions for Successful BGP Attacks For a BGP hijack to succeed, the attacker must: For a BGP route leak to succeed, the following conditions must be met: The network must improperly advertise routes learned from one provider to another, typically due to misconfiguration. The leaked routes need to be accepted by other Autonomous Systems (ASes) for the traffic to be misrouted. Announce a more specific route by breaking down a larger IP range into smaller parts. Provide a shorter route to certain IP blocks.

Case Study 2 - Cisco IOS XE Software OSPFv2 Denial of Service Vulnerability (CVE-2024-20313) While there have been no known widespread exploitations of OSPF due to its nature as an internal network protocol, vulnerabilities have still been discovered. Incident Overview: A vulnerability in OSPFv2 within Cisco IOS XE Software allows an unauthenticated adjacent attacker to cause affected devices to reload unexpectedly, leading to a DoS condition. Affected Products: Cisco IOS XE Software OSPFv2, specifically with the distribute link-state option enabled. Impact: The vulnerabilities pose significant security risks, including the potential for service outages resulting from Denial of Service (DoS) attacks.

Continued from previous slide.. Mitigation: In response, Cisco has released patches to address these vulnerabilities and recommends immediate application of security updates to protect affected devices. Lessons Learned: This incident underscores the importance of security hygiene, emphasizing the need for regular updates and patch management, as well as continuous monitoring of network configurations for anomalies. Key Details: The vulnerability arises from improper validation of OSPF updates. An attacker can exploit this by sending a malformed OSPF update, potentially causing the device to reload and resulting in a Denial of Service.

"While current cryptographic solutions are essential for securing protocols like OSPF and BGP, the landscape of network threats is evolving. Let s explore future trends that are expected to play a key role in routing protocol security."

Future Trends for Routing Protocols Blockchain for Routing Information Verification Blockchain offers a decentralized, tamper-resistant method for verifying routing updates. Applied to BGP, it can prevent BGP hijacking by securely verifying routing advertisements. Enhances trust and integrity in routing information. AI in Dynamic Routing Security AI can analyze routing patterns in real-time to detect anomalies. For OSPF and BGP, AI helps predict and mitigate threats like route leaks and spoofing. Provides proactive security by responding to issues before they disrupt operations.

ACTIVITY Objective: Deepen your understanding of OSPF and network security by researching additional protocols and mitigation strategies. Analyze how internal network protocols may be secured against similar exploits. Instructions Research Alternative Routing Protocols 1] Investigate at least one protocol alternative to OSPF (such as RIP or IS-IS). Identify its strengths and weaknesses, especially in terms of security. 2] Why might this alternative be more secure against the kind of exploit seen in OSPF? What challenges might arise when implementing it in a large network?

More Best Practices 1. Authentication Mechanisms Implement MD5 or SHA for securing OSPF sessions. Prioritize effective password management to enhance security. 2. Prefix Filtering Establish stringent prefix filtering rules to regulate the prefixes routers may accept. This practice mitigates the risk of BGP hijacking. 3. Best Practices Summary Regularly review and update authentication methods. Maintain clear policies on prefix acceptance. Ensure continuous education on security protocols.

Conclusion Key Takeaways OSPF and BGP are critical for network functionality but are exposed to various security threats. Vulnerabilities include route hijacking, session fixation, and denial-of-service attacks. Continuous monitoring and timely updates are essential for mitigating emerging threats. Strong security practices, including cryptographic techniques, enhance the integrity and confidentiality of routing information. Training for network administrators on best practices minimizes human error and exploitation risks. Final Thought A secure routing environment is key to building trust in network communications, ensuring smooth service delivery, and protecting user data.

Discussion Questions 1. What strategies can be implemented to address the issue of false advertisements in the OSPF protocol? 2. How could the BGP hijacking incident that made YouTube inaccessible have been prevented? 3. Why is there a lack of strong authentication mechanisms used in routers to prevent false advertisements? 4. How implemented to address routing issues? can blockchain technology be strategically

References Wikipedia. Routing protocol. Available at: https://en.wikipedia.org/wiki/Routing_protocol CNET. How Pakistan knocked YouTube offline (and how to make sure it doesn t happen again). Available at: https://www.cnet.com/culture/how-pakistan-knocked-youtube-offline-and-how-to-make-sure-it-never-happens-again/ Cisco. IP Routing: OSPF Configuration Guide. Available at: https://www.cisco.com/c/en/us/td/docs/ios- xml/ios/iproute_ospf/configuration/xe-16/iro-xe-16-book/iro-cfg.html Wikipedia. Dijkstra's algorithm. Available at: https://en.wikipedia.org/wiki/Dijkstra%27s_algorithm#:~:text=Dijkstra%27s%20algorithm%20(%2F%CB%88da%C9%A A,and%20published%20three%20years%20later ACM Digital Library. Blockchain Router: A Cross-Chain Communication Protocol. Available at: https://dl.acm.org/doi/10.1145/3070617.3070634#:~:text=We%20introduces%20blockchain%20router%2C%20which, other%20same%20like%20Internet%20network