If a Bad Guy launches an attack against a routing protocol in your network, the attack is almost certainly going to be against EBGP. After all, that’s the protocol that’s running at the edge of your network, and therefore the protocol that is most readily accessible to an attacker.
This is why, as I wrote a few posts ago, it’s essential that you authenticate every EBGP session, and use a separate password for every neighbor. But while authentication can prevent an attacker from connecting to your BGP port (TCP port 179), there are other approaches he can take: By flooding packets at the BGP port, causing a tremendous number of authentication failures over a short period of time, the attacker can cause your router’s CPU to spike; this can cause the legitimate BGP connection at the target interface to fail, or can cause the entire BGP process to fail, or can even cause a complete system crash.
There’s a TTL hack you can use, based on the Generalized TTL Security Mechanism (GTSM, RFC 3682), to reduce your vulnerability to such DoS attacks against BGP. To understand the hack, you have to first understand the default behavior of most BGP implementations. BGP sends packets to external neighbors with a TTL of 1 and accepts packets from external neighbors with a TTL of 0 or higher (as measured after the local router has decremented the TTL of the incoming packet). The TTL of 1 in originated packets insures that your router cannot establish an EBGP session with a neighbor that is not directly connected.
But because your BGP process by default accepts packets with a TTL of 0 or higher, packets can be sent to it from many router hops away as long as their TTL is set high enough when originated.
The TTL hack changes this default behavior by having BGP originate packets with a TTL of 255 and accepting packets only with a TTL of 254 or higher. Again, the TTL value of 254 is measured after the local router has decremented the TTL of the received packet.
Now, even if an attacker originates packets with a maximum TTL of 255 the packets cannot get to your BGP if the attacker is not directly connected; a single router hop decrements the TTL of his packets to 254, and when the packets hit your router the TTL is decremented to 253, below the acceptable value, and are quietly discarded (that is, dropped without generating an ICMP error message).
You can configure this TTL hack in Cisco’s IOS with a simple configuration statement: neighbor neighbor-address ttl-security hops 254. The one statement causes both the quiet discard of incoming BGP packets with TTL values below 254 and the setting of the TTL value of outgoing packets to 255. Of course, if you require a received TTL value of 254 or higher you’ve got to be sure your neighbor is sending packets with a TTL of 255; so the configuration statement must be used on both neighbors.
Jeff Doyle is president of Jeff Doyle and Associates, an IP network consultancy. Jeff is the author of Routing TCP/IP, Volumes I (read an excerpt) and II and of OSPF and IS-IS: Choosing an IGP for Large-Scale Networks. He is a frequent speaker on IPv6, MPLS, and large-scale routing.
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
great
Jeff,
Thats awesome information and a great tip!
Thanks!
Confusion in BGP TTL Security
Jeff, I am having a confusion in this.
(A)
|
|
(B)
|
|
(C)---------(D)
|
|
|
(E)
If Router A & D are e-bgp peers & router A wants to deploy GTSM, what I have understood is, A would set security ttl for D to 252, but what if router E is an attacker which originates BGP packets with TTL 255.
Thanks,
Akhtar
Re: Confusion in BGP TTL Security
Hi Akhtar,
In your scenario attacker E can indeed hit either A or D. Fortunately this kind of topology, running multihop EBGP over one or more intermediate routers, is rare. The most common use for multihop is when you want to balance your EBGP session over multiple equal-cost links between directly connected neighbors, so you run multihop EBGP between the neighbor’s loopback interfaces rather than default EBGP between physical links.
Your example is great for emphasizing two things about the TTL hack:
First, if you do need multihop EBGP and want to use the TTL hack, you use the neighbor ttl-security statement instead of the neighbor ebgp-multihop statement in your BGP configuration. The two statements are incompatible.
Second, as you correctly show, the hops value specifies the minimum acceptable TTL value for received packets, after local decrement. Originated packets always have a TTL of 255 when neighbor ttl-security is enabled. The IOS manuals are not very clear about this, and although I described the use of the specified value in my post your example does a good job of illustrating it. Thanks!
--Jeff
It's hop count not TTL!
The value after the neighbor ttl-security statement is actually the hop count, not the expected TTL value. See:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008020b982.html
Re: It's hop count
Yes, and I did make reference to the value being labeled as hops. So how are those hops determined? By looking at the TTL value.--Jeff
Parameter to 'neighbor ttl-security hops' command
I think Michael's point is that the example given in your original post, Jeff, is in error because a command of the form:
"neighbor neighbor-address ttl-security hops 254"
does not restrict the packet TTL to be 254 or more (as you had inferred), but rather, 1 or more (255 minus 254), rendering it ineffective as a security measure.
Another significance is that, interpreted this way, this command parameter is compatible with the last parameter one might otherwise specify in the command:
"neighbor nnn.nnn.nnn.nnn ebgp-multihop xxx"
(suggesting that someone on Cisco's IOS development team understands the importance of consistency - Thank you!!)
BTW, Jeff, I'm a HUGE fan of your books and often specify them as recommended references in my courses. :)
Cheers,
David
--
David Bray, CCNP, CCAI, Hons. B. Math
Coordinator/Curriculum Lead, Cisco Networking Academy
Program Coordinator/Professor, Bachelor of Information
Technology - Network Technology
Algonquin College
School of Advanced Technology,
Computer Studies
Ottawa, ON, Canada