Man-in-the-Middle attacks against BGP Routers

A more gentle BGP route injection can come in the form of a man-in-the-middle attack. A successful TCP hijacking attack against BGP requires the following:

Man-in-the-Middle attacks against BGP Routers

To launch the actual hijacking attack, we will employ tcphijack from CIAG BGP tools. It is quite straightforward to use:

      root # ./tcphijack
     Usage: tcphijack [-hv] -c client_name -s server_name -p server_port [-t trigger_file] [-P payload_file] [-d fire_delay]
     -h: this help
     -c: Client host name or IP address.
     -s: Server (victim) host name or IP address.
     -p: Server TCP port.
     -t: Trigger file.
     -P: Payload file. If payload_file is "-" then read from stdin.
     -d: Fire delay.
     -v: Show version information.

The payload file can be a text file with a command to be executed when a Telnet session is hijacked. This is very useful when attacking a Telnet connection to a router; however, this is not the purpose of this chapter. In our case, the payload file is a payload binary of a BGP Update or a BGP (error) Notification packet. We are not really interested in BGP Open or BGP keepalive packets, since the session is already present and the peers exchange keepalives anyway.

The first thing to do before running the attack is to build a necessary binary payload. Tcphijack is supplied with a bgp-update-create utility that takes AS number, next hop router IP address, and a route to advertise as input:

     root # ./bgp-update-create --as 6500 --nexthop --destnet > evilpacket

You can also capture live BGP packets from routers into pcap format files, edit these files with WireShark (has a nice GUI and can be downloaded with all the necessary drivers at, open the edited packets with Ethereal, and cut or paste the binary payload from there. Instead of using an actual BGP router (which can be a Linux box with a software routing suite anyway), you can try packet generators that support BGPv4 construction—for example, IPsend and Spoof.

The next step is to ARP spoof the connection between both BGP peers using your favorite ARP-based man-in-the-middle attack tool, such as Dsniff or Ettercap. You can also try ARP spoofing across VLANs using Yersinia. (Classic ARP spoofing is described in all editions of Hacking Exposed as well as many other security tomes and online sources; we won't spend precious time and space outlining them here.) After the ARP spoofing succeeds, launch tcphijack and feed the generated payload into the targeted session:

     root # ./tcphijack -c -s -p 179 -P evilpacket

Voilà! The route has been inserted. The inevitable ACK storm would occur for a few minutes, but it is unlikely to affect the BGP session attacked.