MikroTik BGP Security

2y ago
99 Views
7 Downloads
2.90 MB
27 Pages
Last View : 9d ago
Last Download : 2m ago
Upload by : Mia Martinelli
Transcription

The Biggest MUM in the WorldMikroTikBGP SecurityRofiq FauziJogjakarta, Indonesia

About Rofiq Fauzi Using MikroTik (v.2.97) since 2005, as Network Engineer at WISP. 2007, Network & Wireless Engineer at INDOSAT Central Java Area 2008, IT Network & Telco Procurement at INDOSAT HQ 2012-Now, MikroTik Consultant & Certified Trainer(MTCNA, MTCRE, MTCTCE, MTCWE, MTCUME, MTCINE) at IDNetworkers (PT Integrasi Data Nusantara). 2013-Now, Network Manager at WISP Indomedianet, Indonesia 2013-Now, Network Consulting Engineer at Connexin Limited, Hull, UKCONSULTANTCERTIFIED sia/indonesiaID Networkers Training-mikrotik.comExpert Trainer and Consultant2

About ID-NetworkersEXPERT LEVEL TRAINERS & CONSULTANSIn the Most Prestigious Networking CertificationOVERVIEWWe are young entrepreneurs, we are onlyone training partner & consultant who hasexpert level trainers in the most prestigiousnetworking certification, CCIE Guru , JNCIEGuru and MTCINE guru, which very limitednumber in Indonesia even Asia. Proven thathundred of our students pass thecertification exam every year. We are thebiggest certification factory in Indonesia.WEBSITEwww.id-networkers.comID Networkers Training-mikrotik.comExpert Trainer and Consultant3

About BGP BGP is one of many dynamic routing protocols Internet formed by BGP routing Designed to exchange routing and reachabilityinformation between autonomous systems (AS) onthe Internet BGP also has capability to carrying information aboutdiverse routed protocols (ipv4, ipv6, l2vpn, vpnv4)ID Networkers Training-mikrotik.comExpert Trainer and Consultant4

Interior and Exterior Gateway ProtocolID Networkers Training-mikrotik.comExpert Trainer and Consultant5

Interior and Exterior Gateway Protocol Interior Gateway Protocol (IGP)Handle routing within an Autonomous System (one routingdomain). Can be said that the IGP is a routing that works onour proprietary network, or all routers are belong to us. Exterior Gateway Protocol (EGP)Handles the routing between Autonomous Systems (interdomain routing). Can be said that the EGP is working orrouting between our networks with not our networks.ID Networkers Training-mikrotik.comExpert Trainer and Consultant6

Autonomous Systems (AS) AS is a combination of networks and routers are usually in oneownership or control that has a similar routing protocol. AS 16 bit, or use decimal (0 - 65535) Range 1 - 64511 used for Internet Range 64512 - 65535 used for private With 16-bit AS Numbers, only around 65,000 unique numbers arepossible. The introduction of 32-bit ASNs increases the supply of AS Numbersto four billion. AS Number allocation is managed by IANAID Networkers Training-mikrotik.comExpert Trainer and Consultant7

BGP between AS in the InternetID Networkers Training-mikrotik.comExpert Trainer and Consultant8

IN BGP WE TRUSTFull trust between BGP peers is one of the weaknesses of the protocol.LEAKXMr Leak give wrong information to Mr XXMr X give right information but comingfrom wrong sourceID-Networkers www.training-mikrotik.comExpert Trainer & ConsultantWrong information will spread to all9

The Internet’s Vulnerable BackboneID Networkers Training-mikrotik.comExpert Trainer and Consultant10

General Types of BGP Attacks Prefix Hijack Denial of service Creation of route instabilities (flapping)ID Networkers Training-mikrotik.comExpert Trainer and Consultant11

Prefix Hijack Prefix hijacking, a misbehavior in which a misconfigured ormalicious BGP router originates a route to an IP prefix itdoes not own, Its is becoming an increasingly serious security problem inthe InternetID Networkers Training-mikrotik.comExpert Trainer and Consultant12

How Attackers Can Hijack BGPID Networkers Training-mikrotik.comExpert Trainer and Consultant13

How Attackers Can Hijack BGPID Networkers Training-mikrotik.comExpert Trainer and Consultant14

DemoTopologyID Networkers Training-mikrotik.comExpert Trainer and Consultant15

Demo Install GNS3, if you didn’t know how to install mikrotik on GNS3, follow our previousMUM presentation slide at: e topology (slide 15)Configure BGP peering between all AS, don’t forget for AS 234 its using iBGP peer(mesh peering or router refelctor)Create loopback interface (bridge interface) in Router1 and Router6, and put ip1.1.1.1/32 on the both bridge interfaces.On Router6, in routing BGP network, advertise network 1.1.1.1/32Check in Router1, we can see in IP route, prefix 1.1.1.1 with as path 234,600 that’smean prefix 1.1.1.1/32 originated from 600On Router1, in routing BGP network advertise network 1.1.1.1/32 tooCheck in Router1, we can see in IP route, prefix 1.1.1.1 will change as path to 234,100ID Networkers Training-mikrotik.comExpert Trainer and Consultant16

DDOS Attack One of the denial of service (DDOS), happens on mikrotik router’s winboxservice when the attacker is requesting continuously a part of a .dll/plugin file It raises router’s CPU 100% and other actions. The “other actions” depends onthe routeros version and the hardware. For example on Mikrotik Router v3.30 there was a LAN corruption, BGPfail, whole router failure Mikrotik Router v2.9.6 there was a BGP failure Mikrotik Router v4.13 unstable wifi links Mikrotik Router v5.14/5.15 rarely stacking Behaviour may vary most times, but ALL will have CPU 100% . Most routers looseBGP after long time attackRef: ik-server-side-ddos-attack/ID Networkers Training-mikrotik.comExpert Trainer and Consultant17

Demo Attack Download testing script /04/mkDl.zip Extract it in your C folder Run in your windows command promptC:\ mkDl.py RouterIPAddress * 1 Watch your router CPU usageWarning! This content and tool are for education proposed only, I am not responsible for anything that mighthappen to you or your routers if you use it to DDOS your router, and or causing any damage or error.ID Networkers Training-mikrotik.comExpert Trainer and Consultant18

Defend BGP Attacks Good BGP Router Configuration Detect False Route Announcements RPKIID Networkers Training-mikrotik.comExpert Trainer and Consultant19

Good Router ConfigurationUse routing filter to control prefix exchange between BGP peeringIn Filters Don’t accept your own prefixes Don’t accept RFC 1918 (private IP address) and other reserved ones (RFC 5735) Don’t accept default route (unless you need it) Don’t accept prefixes longer than /24 Don’t accept BOGONS prefixes Limit your Max Prefix Limit AS PathOut Filters Announce only owned prefixes (in case you do not provide transit to other AS’s)Credit to Wardner Maia, ref: http://mdbrasil.com.br/en/downloads/1 Maia.pdfID Networkers Training-mikrotik.comExpert Trainer and Consultant20

MikroTik Routing Filter ng filters Easy way to manage and filter receiving and propagatingprefix in MikroTik RouterOS. Easy way to set any routing parameters Using ip firewall filter algorithm (if-then condition) Can be assign in BGP instance (out-filter only) and BGPpeering (in and out filter)ID Networkers Training-mikrotik.comExpert Trainer and Consultant21

MikroTik Routing FilterID Networkers Training-mikrotik.comExpert Trainer and Consultant22

Detect False Route Announcementshttps://stat.ripe.net/widget/bgplayID Networkers Training-mikrotik.comExpert Trainer and Consultant23

Detect Route FlappingDetect Routing table size:/system scheduleradd interval 5m name schedule1 on-event detect-route starttime startup/system scriptadd name detect-routesource “:local routeSize [/ip route print count-only];:if ( routeSize 5400000) do {/log error " Your routing tableis routeSize , Routing table abnormal"} else {/log warning "Your routing table size is routeSize , normal!"}”ID Networkers Training-mikrotik.comExpert Trainer and Consultant24

Detect Route FlappingID Networkers Training-mikrotik.comExpert Trainer and Consultant25

RPKI (Resource Public Key Infrastructure) http://en.wikipedia.org/wiki/Resource Public Key Infrastructure RPKI is a first step to secure BGP It allows to certify (and verify) that a prefix isadvertised by original AS (in other words that an IPpoints to its legitimate owner) Not yet support by MikroTik RouterOS 6 Will be included in RouterOS V7 ?ID Networkers Training-mikrotik.comExpert Trainer and Consultant26

If you have any other questions or would like me to clarify anythingelse, please, let me know. I am always glad to help in any way I canCONTACTADDRESS:Jakarta & Semarang, IndonesiaWEBSITE: www.training-mikrotik.comEMAIL: ropix@id-networkers.comTELEPHONE: 62 8156583545@mymikrotikTHANK YOUFOR YOUR /rofiq.fauzi“If you cannot survive in the tired of learning, then you will be suffering by the pain of stupidity” (Imam Syafi’i)ID Networkers Training-mikrotik.comExpert Trainer and Consultant27

BGP is one of many dynamic routing protocols Internet formed by BGP routing Designed to exchange routing and reachability information between autonomous systems (AS) on the Internet BGP also has capability to carrying information about diverse routed prot

Related Documents:

A "BGP peer," also known as a "BGP neighbor," is a specific term that is us ed for BGP speakers that have established a neighbor relationship. Any two routers that have formed a TCP connection to exchange BGP routing information are called BGP peers or BGP neighbors. BGP peer must be configured with a BGP neighbor command. External BGP

BGP support for the L2VPN Address Family BGP - Add Path Support BGP - Remove/Replace Private AS Filter BGP VPLS auto discovery support on route reflector BGP selective FIB install ISO specification of IS-IS Use of OSI IS-IS for Routing in TCP/IP and Dual Environments ISIS for MPLS BGP VPN Open

If there are any BGP configuration changes, you must reset the neighbor connection to allow the new parameters to take effect. clear ip bgp address Note: The address is the neighbor address. clear ip bgp * This command clears all neighbor connections. By default, BGP sessions begin with the use of BGP version 4 and negotiate downward to earlier

Media Convertor AT-MC103XL-20 3 Mikrotik S-3553LC20D SFP 20km BiDir (pair) 4 Mikrotik S 31DLC10D SFP 10km 3 Mikrotik S 2332LC10D SFP 10km BiDir (pair) 3 Mikrotik SFP 3m direct attach cable 2 Mikrotik S-31DLC20D 2 D-Link DGE-528T 5 Dell Memory Upgrade - 32GB - 4Rx4 DDR

Border Gateway Protocol (BGP) Lecture 4 : BGP continued Lecture 5 : BGP dynamics Lecture 6 : BGP routing anomalies. 4. 5 GARR-B. 6 (W i n t e r '0 2 ) (W i n t e r U ' 0 2) (Summer'03) W-Superio . EGP IGP BGP RIP IS-IS OSPF 22 The standard model Physical Network DataLink Transport Application Session Presentation Physical Network .

- Border Gateway Protocol - Border Gateway Protocol (BGP) BGP is a standardized exterior gateway protocol (EGP), as opposed to RIP, OSPF, and EIGRP which are interior gateway protocols (IGP’s). BGP Version 4 (BGPv4) is the current standard deployment. BGP is considered a “Path Vector” routing protocol. BGP was not built to

Cisco IOS IP Routing: BGP Command Reference March 2011. Introduction. This book describes the commands used to configure and monitor Border Gateway Protocol (BGP) routing capabilities and features. For BGP configuration information and examples, refer to the . Cisco IOS IP Routing: BGP Configuration Guide.

embedding business architecture into their strategic planning processes.” Source: Forrester Research (Build Confidence in Strategic Decision- Making With Business Architecture by Barnett and Miers, April 4, 2014) “High performance EA is business-focused, strategic, and pragmatic. It helps business and IT understand business strategy, capability gaps, and priorities. It shapes investment .