Border Gateway Protocol Security

BORDER GATEWAY PROTOCOL (BGP) SECURITY

(Vulnerabilities, Attacks, & Countermeasures)

Department of Computer Science

Montclair State University

Shweta Surati
Dr. Stefan Robila
May 7th, 2016

Border Gateway Protocol Security

1. Abstract
The Border Gateway Protocol (BGP) is the most complex IP routing protocol
currently deployed in the Internet which is widely known to have several security
vulnerabilities. It is because of its assumptions that all autonomous systems (ASs) or
networks are reliable and trustworthy which makes easy for an AS malicious router to
perform attacks. The purpose of this paper is to explore the vulnerabilities of BGP, the
damages which can be caused by the exploitation of these vulnerabilities, types of attacks
that could take place and the countermeasures to protect from the attacks.

2. Introduction
Internet is a universal communication network which incorporates many smaller
interconnected networks basically contained of hosts and routers. There are many paths
in a network through which information can travel. A routing protocol is used to select a
path for the information to travel through a network. BGP is an inter-domain routing
protocol which incorporates the latest information on Internet that is needed to receive
and transmit traffic correctly. It is used for exchanging routing information between
autonomous systems (ASs). The transmission of messages referred as packets takes place
to send and receive emails, view websites, and perform other Internet activities. These
packets contain source and destination addresses. Continuous changes take place in
Internet as new systems are added or replaced or sometimes systems fail. In these cases
routing tables must be updated constantly. BGP is the protocol that serves this purpose
for the worldwide Internet. It updates routing information based on packets that are
continually exchanged between BGP routers on the Internet. Some parts of Internet may
be impossible to reach if BGP fails.
BGP does not have any internal mechanisms which can protect it against attacks that
delete, modify, forge, or replay data. Any of these attacks has the potential to disturb
overall network routing behavior. BGP has security vulnerabilities. It does not have a
built-in authentication mechanism to confirm if a message is actually from the
autonomous systems which is displayed as the source in messages. Most of the risks for
BGP are accidental failures, but there are also some risks that attackers could interrupt
the communications and disable parts or all of network. The limited securities provided
by BGP sometimes cause serious outages. Many routing failures have partial impact but
others may cause substantial damage.

Border Gateway Protocol Security

Attackers can introduce false information into BGP and can sneak on traffic route to
an authentic destination or block access to certain sites or impersonate a website to
perform identity theft. False routing information can have different effects on routing
behavior. The false information can change the route to a network and packets destined
for that network may be forwarded by a path that will not forward the traffic. These
attacks can result into severe communications failure. This document discusses the
structure and function of BGP, vulnerabilities, possible attacks, and available
countermeasures.

3. Border Gateway Protocol

Border Gateway Protocol (BGP) is used to exchange routing and reachability
information among autonomous systems (ASs) on the Internet. An autonomous system
(AS) is a network which comes under the control of a single organization. BGP has been
revised three times and currently BGP version 4 is in use over the Internet. When BGP
runs between two routers within the same AS, it is called as Internal BGP (IBGP) and
when it runs between two routers in different ASs it is called External BGP (EBGP).

Fig.1 Internal BGP and External BGP (Source: [7])

Border Gateway Protocol Security

BGP uses a TCP connection to send routing updates. It performs this operation using
TCP port 179. To create a TCP session, BGP peers are fixed by manual configuration
between routers.
BGP uses path-vector algorithm to develop routing information [2]. According to this
algorithm it only tracks the AS number of an AS through which it passes and not the
individual routers inside that AS. AS number has to be unique because BGP exchange
route information with a given destination network by tracking the list of AS numbers
and relating them with the destination networks. BGP checks that an AS number does not
show up in a route more than once to avoid the routing loops.
A BGP router forwards a packet based only on the destination address which is
included in the IP header of the packet. Update messages is used to exchange the network
layer reachability information between BGP routers and these messages are sent until the
whole BGP table has been exchanged. BGP uses Classless Inter-Domain Routing (CIDR)
notation for an IP address i.e. A/n, where A is an IP address and n is the prefix length [2].
The prefix length is a network mask recognizing the number of network bits. The
network routing information can be denoted as 211.120.0.0/17 where 211.120.0.0 is the
IP prefix and /17 is the mask length.

Fig.2. Announcement of prefix 12.34.0.0/16 originating from the AS 4

Border Gateway Protocol Security

In BGP every single AS adds its individual AS number at the beginning of an ASpath before announcing the route to the next AS. An AS-path is a list of all ASs that a
specific route passes through to reach a destination. AS-paths are generated when an
exterior BGP router sends an announcement message that a new route is available. When
the router receives the route, it adds the neighbors AS number to the AS_path. As the
route goes from one AS to another the AS_path gets longer.
In the fig-1 an AS-path is shown by listing its AS numbers. For AS4 to reach AS9,
BGP would need an AS-path encompassing the subsequent AS numbers tracing the
actual path to reach back through the Internet to the originator of network reachability
information. There can be two paths to reach from AS4 to AS9. First path has 4 steps and
second path has 6 steps. BGP selects only the best path to reach the destination as long as
both paths are reachable the route with the least steps might be the ideal route. Since the
first path has only 4 hops, it would be the ideal route.

4. Border Gateway Protocol Message Types

A BGP message has a fixed-size header. It holds a marker field which is used for
authentication and synchronization, a length field that specifies the length of the packet,
and a type field that specifies the message type. Following are the types of BGP
messages:
i.

Open Message

Open messages are exchanged between two BGP systems once a TCP connection is
established between them. A BGP connection is established between these two systems
when they exchange open messages. After the establishment of BGP connection, BGP
messages and data traffic can be exchanged between the two systems. An open message
contains the BGP header, BGP version, local AS number, BGP identifier and hold time.

Fig.3 Open Message Structure (Source: [7])

Border Gateway Protocol Security

ii.

Update Message

BGP systems send update messages that contain the actual route updates. These
messages are used to exchange network reachability information. BGP systems use this
information to define the connections among all known autonomous systems. An update
message is composed of following fields: unfeasible route length, withdrawn routes, total
path attribute length, path attributes, and network reachability information.

Fig.4 Update Message Structure (Source: [7])

iii.

Notification Message

Whenever an error state is identified, BGP systems send notification messages which
leads to the termination of the BGP session and the TCP connection between the BGP
systems. Notification message contains the BGP header with the error code and error
message.

Fig.5 Notification Message Structure (Source: [7])

iv.

Keepalive Message

This message type used to keep the session running when there are no updates.
Keepalive message is exchanged between BGP systems to let each other know that they
are up and running. When a BGP system fails to get a Keepalive message, it removes all
routes regarding that particular peer. This message only has a BGP header.

Border Gateway Protocol Security

5. Vulnerabilities
BGP was developed in a time when security was not a serious issue for the Internet.
There is no mechanism has been specified within BGP to authenticate an AS to ensure if
the message is actually coming from the AS that is shown as the source in messages. It
does not have the ability to confirm the legitimacy of the path attributes announced by an
AS or to check the integrity of the messages in peer to peer BGP communications. This
result in a number of vulnerabilities, despite extensions designed to shore up its security.

5.1 Vulnerabilities in BGP Messages

The attacker can use bogus BGP messages to interrupt the BGP peer to peer
connections. Each message presents some vulnerabilities and risks [1].
Each BGP message begins with a message header. Any error in the message header
can lead to the termination of the connection. It can misguide the BGP speaker to remove
all routes learned through that connection and cause an idle state. The message header
with errors could cause interruptions in routing over a wide area [1].
An open message goes into an openconfirm state when the connection is established.
At this state if another open message arrives then BGP speaker specifies that a connection
collision has happened. An attacker can spoof an open message so the later arrival of the
authentic peer's open message might lead the BGP speaker to declare a connection
collision. Due to this collision detection technique the authentic connection may be
dropped and BGP speaker return to the idle state [1].

5.2 Vulnerabilities in attributes of Update Message

i.

Unfeasible Routes Length

An attacker can modify the length which results in an update message error [1] as the
message may not to be analyzed properly. When this error occurs, a notification message
is transmitted and BGP connection is closed.
ii.

Withdrawn Route

This attribute carries the information about any routes that are withdrawn by the BGP
neighbor. By modifying withdrawn routes field, an attacker can cause the deletion of
existing genuine routes. Also by replaying the withdrawal routes information from
previous packets could lead to the deletion of reestablished routes.
7

Border Gateway Protocol Security

iii.

Path Attributes

Attribute Flags, Attribute Type Codes, and Attribute Length.

A path attribute has triple variable length i.e. Attribute Flags, Attribute Type Codes,
and Attribute Length. One or more path attributes are used to describe the routes.
Modification of this field leads to an update message error [1] which results into the
closing of BGP connection.

Origin

It is a well-known mandatory attribute which means it must be included into an

update message [6]. This field describes from which AS the route has originated.
Modifying this field can affect the routing decision of the receiving BGP speaker.

AS_Path-

This attribute is a list of all ASs that a specific route passes through to reach a
destination which is used to prevent the looping of routes [6]. An attacker can announce
an AS_Path that is not correct which may result in routing loops.

Next_Hop-

This attribute contains the IP address of the first router of the neighboring AS [2]. IP
address changes only in the case if the autonomous system border has been traversed. By
modifying this field an attacker could interrupt the forwarding of traffic between the two
ASs.

iv.

Network Layer Routing Information (NLRI)

NLRI is used by each AS to create a routing graph that defines associations between
the autonomous systems. By modifying this field an attacker could cause interruption of
routing to the announced network which can lead to data loss.

5.3 Vulnerabilities through TCP protocol

BGP uses a TCP connection to send routing updates. It performs this operation using
TCP port 179. Therefore, BGP is subject to attack through attacks on TCP [1].

Border Gateway Protocol Security

6. Attacks on BGP
The attacks discussed in this section are the most common. The attacks on BGP can
cause the loss of connectivity between critical parts of the Internet which can affect the
web accesses. BGP confidentiality risks also arise from these attacks particularly caused
by misrouting of packets. To make the Internet communication secure special measures
has to be taken, such as encryption. An attacker could place an attack by changing
routing tables to redirect traffic through malicious systems and can monitor the contents
or source and destination of the redirected traffic, or modify it maliciously. Similar to
other devices BGP routers are also subject to unauthorized access, eavesdropping, packet
manipulation, denial of service, and other attacks [2].
i.

Denial of Service (DOS)

It is possibly the huge risk for BGP which takes place when a router receives more
packets than its capacity to handle. The attack could compromise a large number of hosts.
An attacker could achieve a denial of service attack through many ways. For example by
announcing an AS_Path that is not correct results in routing loops. If packets enter a
looping route then the traffic will never be delivered which leads to DOS attack. By
sending excess BGP messages to a BGP router an attacker can cause router resource
exhaustion [2]. The insertion of bogus routing information could cause the partitioning of
a portion network from the rest of the Internet. All these ways could lead to denial of
service.
ii.

Man-In-the-Middle

This is an attack where a malicious party enters between two parties and gets access
to private information. Eavesdropping of BGP packets may occur anywhere on the path
between routers as BGP messages are not encrypted, or BGP may be exploited to allow
eavesdropping on application data packets. In BGP there is no mechanism for peer entity
authentication that makes this type of attack a lot easier.
iii.

Peer Spoofing

Spoofing takes place when modified packets are transmitted which appear as they are
created from their true source. It is easy to cover the source address of an IP connection
with regular TCP connections. This attack can takes place in BGP by spoofing one of the

Border Gateway Protocol Security

BGP routers. The purpose of this attack could be to insert false information into a BGP
peers routing tables.
iv.

TCP Resets

In this attack a forged TCP reset message is inserted into an existing session between
the BGP peers which leads to dropping of the connection. BGP uses a TCP connection to
send routing updates. An attacker could monitor the communication between two BGP
peers and get adequate information to send a bogus reset message to one of the routers.
When the router receives this forged message it drops the BGP session and both of the
peers withdraw routes earlier learnt from each other. It interrupts the connectivity of the
network and could take some period of time to recover. This time period is based on the
number of BGP peers affected.
v.

Session Hijacking

This attack is similar to TCP reset attack but is more harmful. It includes an invasion
into an existing session between the BGP peers. In this attack an attacker could operate as
one of the peers in BGP session. The purpose of this attack could be to alter routes in
order to enable snooping, or packets analysis.
vi.

Route Flapping

When repetitive changes are made to the BGP routing table, it is known as route
flapping. A route flap takes place when a route is withdrawn and then re-announced. A
route flap can cause changes in a route. When route flapping is done with a high rate (3050 times per second) it can cause a serious problem for routers. It could cause overload
on router which leads to slow message delivery and in some cases packets may not be
received at all. It could result into denial of service.
vii.

Malicious Route Injection

BGP is used to exchange the routing information over the Internet. But it does not
offer protection against insertion, deletion or modification of messages. An attacker could
gain access by inserting false IP addresses into the messages or could interrupt the
routing tables by inserting false data. An attacker can modify packet header addresses to
change the route of a message to a malicious destination and can read and monitor the
network packets. This attack could result into eavesdropping or denial of service.
10

Border Gateway Protocol Security

viii.

Link Cutting Attack

This attack takes place when the attacker uses one or more compromised ASs through
which he could get insight of the network routes. On the basis of this knowledge of the
network routes the attacker can decide what links need to be cut to force traffic through
the compromised node. The attacker could set up a position where the compromised node
is the only route in the network from one point to others and can read and monitor the
network packets.

7. Countermeasures
It has been a challenge to secure the BGP routing as BGP has no inbuilt security
mechanisms. The major issue in securing BGP is that routers may show some faulty and
maybe malicious behavior [4]. The vulnerabilities of BGP can be reduced by using
various security mechanisms. In this section, some of the currently applied
countermeasures have been described.
i.

Prefix Filtering

Prefix filtering is a mechanism used for securing BGP routers from unintended or
malicious interruption. In this method filtering of both incoming prefixes and outgoing
prefixes is done. It can be done by listing the ranges of IP prefixes that need to be denied
and rest of the IP prefixes are permitted or by listing the ranges of permitted IP prefixes
and rest of the IP prefixes can be denied. This mechanism will offer more security. For
example, if AS 1 filters its outgoing prefixes which are in set S, and AS 2 is a BGP peer,
then AS 2 establishes incoming filters to ensure that the prefixes it accepts from AS 1 are
only those in set S. This method helps to lessen the risk from attackers that try to inject
bogus routes by pretending to send updates from AS 1 to its peers [2].
ii.

Sequence Number Randomization

A packet takes multiple routes through the network in order to reach to the destination.
In that case messages received by the destination router may be in a different order then
they were sent. BGP uses a TCP connection to send routing updates. TCP uses sequence
numbers to make certain that the packets are captured into their right order. When the
connection establishes between two BGP peers one of the systems exchanges random
Initial Sequence Number from a range of 32-bit integers. With each message, this
sequence number is incremented and helps in concluding the right order to reassemble
11

Border Gateway Protocol Security

the packet. The packets which are in range around the sequence number will be accepted
by the receiving end and the rest of the packets are supposed to be error and will be
rejected. Sequence numbers offer protection against session hijacking and message
spoofing.

Fig.6 TCP Sequence Number Establishment (Source: [2])

iii.

Generalized TTL Security Mechanism

TTL refers to Time to Live. Using this field of IP packet an error message can be
identified and denied. It avoids endless circulation of packets in the Internet. It counts the
number of hosts a packet passes through by subtracting its current value from its initial
value. In BGP, two peers are adjacent to each other so only one hop will be needed for a
packet to be sent in a BGP message. A BGP message which has gone through several
hosts is considered as an error or a packet from an attacker. The TTL hack assumes that
the TTL for outgoing packets is 255. When the packet is forwarded routers decrement the
TTL field by one so the adjacent peer should see the incoming packet with TTL value
254. Packet which has TTL value lower than 254 is considered to be an error.

Fig. 7 BGP TTL Hack (Source: [2])

12

Border Gateway Protocol Security

iv.

MD5 Signature

The MD5 hash algorithm can be used to protect BGP sessions by creating a keyed
hash for TCP message authentication [2]. This algorithm takes a variable length message
and calculates a 128-bit cryptographic hash value for each packet. It uses a secret key that
is shared by both the BGP peers in the session. It is a cryptographic algorithm that is why
it difficult to conclude the key from the hash value. It is very difficult to make changes in
the MD5 hash value as change of a single bit will produce a different hash value. BGP
peers can consist of an MD5 value in each message and the receiving peer can check to
confirm if the value matches or not that calculated with the help of the shared secret key.
MD5 offers great protection against spoofing and session hijacking.
v.

IPsec

BGP does not have any inbuilt encryption mechanism in order to secure its messages.
IPsec is an IP layer protocol which can provide both authentication and data encryption.
It can be used in place of MD5. The Authentication Header option of IPsec can be used to
authenticate a BGP message and Encapsulating Security Payload option can be used to
encrypt the data passed in BGP updates [2]. IPsec also provides great protection against
spoofing and session hijacking.

8. Conclusion
BPG is very popular despite providing no performance and security guarantees.
Various security measures have been proposed but there is a difficulty in adopting the
solutions as number of autonomous systems are increasing on the internet. But overall
progress has been made. This paper has surveyed various vulnerabilities of BGP, several
attacks exploiting those vulnerabilities and some security mechanisms to assure its
security. It is important to secure BGP because it the key to reliable and secure Internet.

13

Border Gateway Protocol Security

9. References
[1] IETF, RFC 4272, BGP Security Vulnerabilities Analysis, January 2006.
http://www.ietf.org/rfc/rfc4272.txt

[2] Kuhn, D. Richard, Kotikalapudi Sriram, and Douglas C. Montgomery. "SP 800-54.
Border Gateway Protocol Security." (2007).

[3] BGP essentials: The protocol that makes the Internet work, Ivan Pepelnjak
http://searchtelecom.techtarget.com/feature/BGP-essentials-The-protocol-thatmakes-the-Internet-work

[4] Farley, Toni, Patrick Mcdaniel, and Kevin Butler. "A survey of bgp security issues
and solutions." ACM Journal (2004).

[5] BGP message overview

http://www.juniper.net/documentation/en_US/junos15.1/topics/concept/bgp-routingmessages-overview.html

[6] http://www.inetdaemon.com/tutorials/internet/ip/routing/bgp/index.shtml

[7] http://www.rhyshaden.com/bgp.htm

[8] https://en.wikipedia.org/wiki/Border_Gateway_Protocol

14