Man-in-the-Middle attacks against BGP Routers
A more gentle BGP route injection can come in the form of a man-in-the-middle attack. A successful TCP hijacking attack against BGP requires the following:
- Correctly matching source address
- Correctly matching source port
- Correctly matching destination port
- Correctly matching TTL if a BGP TTL security is applied
- Correctly matching TCP sequence numbers (a great trouble for a blind remote attacker, but not a problem when you can sniff the section)
- Bypassing TCP Options MD5 authentication (if applied)
To launch the actual hijacking attack, we will employ tcphijack from CIAG BGP tools. It is quite straightforward to use:
root # ./tcphijack
Usage: tcphijack [-hv] -c client_name -s server_name -p server_port [-t trigger_file] [-P payload_file] [-d fire_delay]
-h: this help
-c: Client host name or IP address.
-s: Server (victim) host name or IP address.
-p: Server TCP port.
-t: Trigger file.
-P: Payload file. If payload_file is "-" then read from stdin.
-d: Fire delay.
-v: Show version information.
The payload file can be a text file with a command to be executed when a Telnet session is hijacked. This is very useful when attacking a Telnet connection to a router; however, this is not the purpose of this chapter. In our case, the payload file is a payload binary of a BGP Update or a BGP (error) Notification packet. We are not really interested in BGP Open or BGP keepalive packets, since the session is already present and the peers exchange keepalives anyway.
The first thing to do before running the attack is to build a necessary binary payload. Tcphijack is supplied with a bgp-update-create utility that takes AS number, next hop router IP address, and a route to advertise as input:
root # ./bgp-update-create --as 6500 --nexthop 192.168.10.1 --destnet 192.168.15.1/24 > evilpacket
You can also capture live BGP packets from routers into pcap format files, edit these files with WireShark (has a nice GUI and can be downloaded with all the necessary drivers at www.wireshark.org), open the edited packets with Ethereal, and cut or paste the binary payload from there. Instead of using an actual BGP router (which can be a Linux box with a software routing suite anyway), you can try packet generators that support BGPv4 construction—for example, IPsend and Spoof.
The next step is to ARP spoof the connection between both BGP peers using your favorite ARP-based man-in-the-middle attack tool, such as Dsniff or Ettercap. You can also try ARP spoofing across VLANs using Yersinia. (Classic ARP spoofing is described in all editions of Hacking Exposed as well as many other security tomes and online sources; we won't spend precious time and space outlining them here.) After the ARP spoofing succeeds, launch tcphijack and feed the generated payload into the targeted session:
root # ./tcphijack -c 192.168.10.12 -s 192.168.10.15 -p 179 -P evilpacket
Voilà! The route has been inserted. The inevitable ACK storm would occur for a few minutes, but it is unlikely to affect the BGP session attacked.