The Biggest MUM in the WorldMikroTikBGP SecurityRofiq FauziJogjakarta, Indonesia
About Rofiq Fauzi Using MikroTik (v.2.97) since 2005, as Network Engineer at WISP. 2007, Network & Wireless Engineer at INDOSAT Central Java Area 2008, IT Network & Telco Procurement at INDOSAT HQ 2012-Now, MikroTik Consultant & Certified Trainer(MTCNA, MTCRE, MTCTCE, MTCWE, MTCUME, MTCINE) at IDNetworkers (PT Integrasi Data Nusantara). 2013-Now, Network Manager at WISP Indomedianet, Indonesia 2013-Now, Network Consulting Engineer at Connexin Limited, Hull, UKCONSULTANTCERTIFIED sia/indonesiaID Networkers Training-mikrotik.comExpert Trainer and Consultant2
About ID-NetworkersEXPERT LEVEL TRAINERS & CONSULTANSIn the Most Prestigious Networking CertificationOVERVIEWWe are young entrepreneurs, we are onlyone training partner & consultant who hasexpert level trainers in the most prestigiousnetworking certification, CCIE Guru , JNCIEGuru and MTCINE guru, which very limitednumber in Indonesia even Asia. Proven thathundred of our students pass thecertification exam every year. We are thebiggest certification factory in Indonesia.WEBSITEwww.id-networkers.comID Networkers Training-mikrotik.comExpert Trainer and Consultant3
About BGP BGP is one of many dynamic routing protocols Internet formed by BGP routing Designed to exchange routing and reachabilityinformation between autonomous systems (AS) onthe Internet BGP also has capability to carrying information aboutdiverse routed protocols (ipv4, ipv6, l2vpn, vpnv4)ID Networkers Training-mikrotik.comExpert Trainer and Consultant4
Interior and Exterior Gateway ProtocolID Networkers Training-mikrotik.comExpert Trainer and Consultant5
Interior and Exterior Gateway Protocol Interior Gateway Protocol (IGP)Handle routing within an Autonomous System (one routingdomain). Can be said that the IGP is a routing that works onour proprietary network, or all routers are belong to us. Exterior Gateway Protocol (EGP)Handles the routing between Autonomous Systems (interdomain routing). Can be said that the EGP is working orrouting between our networks with not our networks.ID Networkers Training-mikrotik.comExpert Trainer and Consultant6
Autonomous Systems (AS) AS is a combination of networks and routers are usually in oneownership or control that has a similar routing protocol. AS 16 bit, or use decimal (0 - 65535) Range 1 - 64511 used for Internet Range 64512 - 65535 used for private With 16-bit AS Numbers, only around 65,000 unique numbers arepossible. The introduction of 32-bit ASNs increases the supply of AS Numbersto four billion. AS Number allocation is managed by IANAID Networkers Training-mikrotik.comExpert Trainer and Consultant7
BGP between AS in the InternetID Networkers Training-mikrotik.comExpert Trainer and Consultant8
IN BGP WE TRUSTFull trust between BGP peers is one of the weaknesses of the protocol.LEAKXMr Leak give wrong information to Mr XXMr X give right information but comingfrom wrong sourceID-Networkers www.training-mikrotik.comExpert Trainer & ConsultantWrong information will spread to all9
The Internet’s Vulnerable BackboneID Networkers Training-mikrotik.comExpert Trainer and Consultant10
General Types of BGP Attacks Prefix Hijack Denial of service Creation of route instabilities (flapping)ID Networkers Training-mikrotik.comExpert Trainer and Consultant11
Prefix Hijack Prefix hijacking, a misbehavior in which a misconfigured ormalicious BGP router originates a route to an IP prefix itdoes not own, Its is becoming an increasingly serious security problem inthe InternetID Networkers Training-mikrotik.comExpert Trainer and Consultant12
How Attackers Can Hijack BGPID Networkers Training-mikrotik.comExpert Trainer and Consultant13
How Attackers Can Hijack BGPID Networkers Training-mikrotik.comExpert Trainer and Consultant14
DemoTopologyID Networkers Training-mikrotik.comExpert Trainer and Consultant15
Demo Install GNS3, if you didn’t know how to install mikrotik on GNS3, follow our previousMUM presentation slide at: e topology (slide 15)Configure BGP peering between all AS, don’t forget for AS 234 its using iBGP peer(mesh peering or router refelctor)Create loopback interface (bridge interface) in Router1 and Router6, and put ip1.1.1.1/32 on the both bridge interfaces.On Router6, in routing BGP network, advertise network 1.1.1.1/32Check in Router1, we can see in IP route, prefix 1.1.1.1 with as path 234,600 that’smean prefix 1.1.1.1/32 originated from 600On Router1, in routing BGP network advertise network 1.1.1.1/32 tooCheck in Router1, we can see in IP route, prefix 1.1.1.1 will change as path to 234,100ID Networkers Training-mikrotik.comExpert Trainer and Consultant16
DDOS Attack One of the denial of service (DDOS), happens on mikrotik router’s winboxservice when the attacker is requesting continuously a part of a .dll/plugin file It raises router’s CPU 100% and other actions. The “other actions” depends onthe routeros version and the hardware. For example on Mikrotik Router v3.30 there was a LAN corruption, BGPfail, whole router failure Mikrotik Router v2.9.6 there was a BGP failure Mikrotik Router v4.13 unstable wifi links Mikrotik Router v5.14/5.15 rarely stacking Behaviour may vary most times, but ALL will have CPU 100% . Most routers looseBGP after long time attackRef: ik-server-side-ddos-attack/ID Networkers Training-mikrotik.comExpert Trainer and Consultant17
Demo Attack Download testing script /04/mkDl.zip Extract it in your C folder Run in your windows command promptC:\ mkDl.py RouterIPAddress * 1 Watch your router CPU usageWarning! This content and tool are for education proposed only, I am not responsible for anything that mighthappen to you or your routers if you use it to DDOS your router, and or causing any damage or error.ID Networkers Training-mikrotik.comExpert Trainer and Consultant18
Defend BGP Attacks Good BGP Router Configuration Detect False Route Announcements RPKIID Networkers Training-mikrotik.comExpert Trainer and Consultant19
Good Router ConfigurationUse routing filter to control prefix exchange between BGP peeringIn Filters Don’t accept your own prefixes Don’t accept RFC 1918 (private IP address) and other reserved ones (RFC 5735) Don’t accept default route (unless you need it) Don’t accept prefixes longer than /24 Don’t accept BOGONS prefixes Limit your Max Prefix Limit AS PathOut Filters Announce only owned prefixes (in case you do not provide transit to other AS’s)Credit to Wardner Maia, ref: http://mdbrasil.com.br/en/downloads/1 Maia.pdfID Networkers Training-mikrotik.comExpert Trainer and Consultant20
MikroTik Routing Filter ng filters Easy way to manage and filter receiving and propagatingprefix in MikroTik RouterOS. Easy way to set any routing parameters Using ip firewall filter algorithm (if-then condition) Can be assign in BGP instance (out-filter only) and BGPpeering (in and out filter)ID Networkers Training-mikrotik.comExpert Trainer and Consultant21
MikroTik Routing FilterID Networkers Training-mikrotik.comExpert Trainer and Consultant22
Detect False Route Announcementshttps://stat.ripe.net/widget/bgplayID Networkers Training-mikrotik.comExpert Trainer and Consultant23
Detect Route FlappingDetect Routing table size:/system scheduleradd interval 5m name schedule1 on-event detect-route starttime startup/system scriptadd name detect-routesource “:local routeSize [/ip route print count-only];:if ( routeSize 5400000) do {/log error " Your routing tableis routeSize , Routing table abnormal"} else {/log warning "Your routing table size is routeSize , normal!"}”ID Networkers Training-mikrotik.comExpert Trainer and Consultant24
Detect Route FlappingID Networkers Training-mikrotik.comExpert Trainer and Consultant25
RPKI (Resource Public Key Infrastructure) http://en.wikipedia.org/wiki/Resource Public Key Infrastructure RPKI is a first step to secure BGP It allows to certify (and verify) that a prefix isadvertised by original AS (in other words that an IPpoints to its legitimate owner) Not yet support by MikroTik RouterOS 6 Will be included in RouterOS V7 ?ID Networkers Training-mikrotik.comExpert Trainer and Consultant26
If you have any other questions or would like me to clarify anythingelse, please, let me know. I am always glad to help in any way I canCONTACTADDRESS:Jakarta & Semarang, IndonesiaWEBSITE: www.training-mikrotik.comEMAIL: ropix@id-networkers.comTELEPHONE: 62 8156583545@mymikrotikTHANK YOUFOR YOUR /rofiq.fauzi“If you cannot survive in the tired of learning, then you will be suffering by the pain of stupidity” (Imam Syafi’i)ID Networkers Training-mikrotik.comExpert Trainer and Consultant27
BGP is one of many dynamic routing protocols Internet formed by BGP routing Designed to exchange routing and reachability information between autonomous systems (AS) on the Internet BGP also has capability to carrying information about diverse routed prot
A "BGP peer," also known as a "BGP neighbor," is a specific term that is us ed for BGP speakers that have established a neighbor relationship. Any two routers that have formed a TCP connection to exchange BGP routing information are called BGP peers or BGP neighbors. BGP peer must be configured with a BGP neighbor command. External BGP
BGP support for the L2VPN Address Family BGP - Add Path Support BGP - Remove/Replace Private AS Filter BGP VPLS auto discovery support on route reflector BGP selective FIB install ISO specification of IS-IS Use of OSI IS-IS for Routing in TCP/IP and Dual Environments ISIS for MPLS BGP VPN Open
If there are any BGP configuration changes, you must reset the neighbor connection to allow the new parameters to take effect. clear ip bgp address Note: The address is the neighbor address. clear ip bgp * This command clears all neighbor connections. By default, BGP sessions begin with the use of BGP version 4 and negotiate downward to earlier
Media Convertor AT-MC103XL-20 3 Mikrotik S-3553LC20D SFP 20km BiDir (pair) 4 Mikrotik S 31DLC10D SFP 10km 3 Mikrotik S 2332LC10D SFP 10km BiDir (pair) 3 Mikrotik SFP 3m direct attach cable 2 Mikrotik S-31DLC20D 2 D-Link DGE-528T 5 Dell Memory Upgrade - 32GB - 4Rx4 DDR
Border Gateway Protocol (BGP) Lecture 4 : BGP continued Lecture 5 : BGP dynamics Lecture 6 : BGP routing anomalies. 4. 5 GARR-B. 6 (W i n t e r '0 2 ) (W i n t e r U ' 0 2) (Summer'03) W-Superio . EGP IGP BGP RIP IS-IS OSPF 22 The standard model Physical Network DataLink Transport Application Session Presentation Physical Network .
- Border Gateway Protocol - Border Gateway Protocol (BGP) BGP is a standardized exterior gateway protocol (EGP), as opposed to RIP, OSPF, and EIGRP which are interior gateway protocols (IGP’s). BGP Version 4 (BGPv4) is the current standard deployment. BGP is considered a “Path Vector” routing protocol. BGP was not built to
Cisco IOS IP Routing: BGP Command Reference March 2011. Introduction. This book describes the commands used to configure and monitor Border Gateway Protocol (BGP) routing capabilities and features. For BGP configuration information and examples, refer to the . Cisco IOS IP Routing: BGP Configuration Guide.
embedding business architecture into their strategic planning processes.” Source: Forrester Research (Build Confidence in Strategic Decision- Making With Business Architecture by Barnett and Miers, April 4, 2014) “High performance EA is business-focused, strategic, and pragmatic. It helps business and IT understand business strategy, capability gaps, and priorities. It shapes investment .