BGP Security Best Practices

Written By Christopher Bailey

The Border Gateway Protocol (BGP) is a routing protocol that is used to exchange routing information between autonomous systems (ASes). BGP is the protocol that is used to route traffic between the major internet service providers (ISPs) and other large organizations. The long and short of it is that it’s the glue that sticks the Internet together.

At the end of August 2023 a serious flaw was discovered which can be exploited to cause prolonged Internet outages. However, some vendors decided not to patch the flaw.

How serious is this flaw?

The owner of BGP.tools, Ben Cartwright-Cox, discovered that by altering BGP UPDATE messages, which are exchanged between BGP peers, can be passed along without impact if a BGP implementation does not understand the attribute, but if the BGP implementation does understand the attribute and if that attribute is corrupted, it can trigger a catastrophic error causing the BGP peers to shut down the session. Should the BGP peering session shut down, it can prevent a company from being able to communicate on the Internet.

“With some reasonably educated crafting of a payload, someone could design a BGP UPDATE that ‘travels’ along the internet unharmed, until it reaches a targeted vendor and results in that vendor resetting sessions. If that data comes down the BGP connections that are providing wider internet access for the network, this could result in a network being pulled offline from the internet, This attack is not even a one-off ‘hit-and-run’, as the ‘bad’ route is still stored in the peer router; when the session restarts the victim router will reset again the moment the route with the crafted payload is transmitted again. This has the potential to cause prolonged internet or peering outages.” —Cartwright-Cox

What vendors are affected by this flaw?

MikroTik, Ubiquiti, Arista, Huawei, Cisco and Bird were found to be not affected. However, some big names in the industry such as Juniper’s JunOS, Nokia’s SR-OS, Extreme Networks’ EXOS, OpenBSD’s OpenBGPd, and FRRouting were found to be some of the big name vendors affected by this flaw. The interesting part is only OpenBSD has since patched the problem (CVE-2023-38283) while Juniper and FRRouting has published the CVE identifiers CVE-2023-4481 and CVE-2023-38802, respectively and Juniper subsequently sent out an advisory to their stakeholders of the availability of patches. Neither Nokia or Extreme Networks plan on addressing the issue through a patch. Instead, Nokia, already has a command in the SR-OS arsenal capable of addressing the issue. More information relating to this can be found in the Nokia Information Center.

What other BGP security risks are there?

BGP is a complex protocol and there are a number of security risks associated with it. These risks include:

  • BGP hijacking: This is a type of attack where an attacker takes control of a BGP router and uses it to announce false routing information to the internet. This can cause traffic to be routed to the attacker's devices instead of the intended destination.

  • BGP spoofing: This is a type of attack where an attacker sends BGP updates with a forged source address. This can be used to redirect traffic to the attacker's devices or to disrupt the routing of traffic.

  • BGP session hijacking: This is a type of attack where an attacker takes control of an existing BGP session between two routers. This can be used to modify the routing information that is exchanged between the routers or to disrupt the BGP session altogether.

Best practices for mitigating BGP security issues

There are a number of best practices that can be used to mitigate the security risks associated with BGP. These best practices include:

  • Use strong authentication: BGP supports a number of authentication mechanisms, such as MD5 and SHA-1. These mechanisms should be used to authenticate all BGP sessions.

  • Filter routes: BGP allows you to filter the routes that are accepted from your BGP neighbors. This can be used to prevent the acceptance of false routing information.

  • Monitor BGP activity: You should monitor your BGP sessions for unusual activity. This could include changes in the routing information that is being exchanged or the termination of BGP sessions.

  • Keep your software up to date: BGP software is frequently updated with security fixes. You should make sure that your BGP software is up to date to protect against known vulnerabilities.

By following these best practices, you can help to protect your network from the security risks associated with BGP. In addition to the above, here are some other best practices that you can follow to improve the security of your BGP network:

  • Use a secure network infrastructure. Your BGP routers should be located in a secure location and they should be physically secured.

  • Use a firewall to protect your BGP routers from unauthorized access.

  • Use intrusion detection and prevention systems (IDS/IPS) to monitor your BGP network for suspicious activity.

  • Train your staff on BGP security best practices.

  • Conduct regular audits on your BGP network.

By following these best practices, you can help to protect your BGP network from a variety of security threats.

How do I get help?

Head on over to our Contact page and send us a message and we can help you navigate through this vulnerability. Don’t leave your network vulnerable to attack and contact us today!

Christopher Bailey
Previous

The Dangers of Ransomware and How to Protect Yourself
Next

Ubiquiti Security Advisory Bulletin: What does this mean to you?