[lacnog] Fwd: Fwd: [1st-t] Campaign to safeguard BGP Peering Sessions (TLP:Clear)

Carlos Martinez - Cagnazzo carlos en cagnazzo.uy
Mie Oct 11 11:15:12 -03 2023


Hola a todos,

En una de las listas de FIRST (Forum of Incident Response Teams) 
compartieron este mensaje que me parece es de interés de LACNOG.

/Carlos

-------- Original Message --------
Subject: [1st-t] Campaign to safeguard BGP Peering Sessions (TLP:Clear)
Date: 2023-10-11 08:06
From: "Barry Greene" (via first-teams Mailing List) 
<first-teams en lists.first.org>
To: FIRST Teams <first-teams en lists.first.org>
Reply-To: Barry Greene <bgreene en senki.org>

[PEER REVIEWED BY FIRST NETSEC SIG - TLP: CLEAR]

In June 2023, two low-level Mpps DDoS attacks targeted two
organization’s BGP sessions (TCP port 179). Both BGP sessions were
knocked out, completing a DDoS against the organizations. DDoS against
the BGP session is a well-known - but not common attack vector. We have
defensive techniques, tools, and architectures to protect the BGP
session. These attacks against BGP sessions are of concern because:
First, it has been a while since we have seen direct attacks on the BGP
Sessions. BGP Session attacks require homework by the threat actor.
These are not point-&-click volumetric DDoS Attacks. We have enough
monitoring of BGP stability to know if these attacks are common. They
are not common. We “assumed” that organizations would protect their
BGP sessions when they configure their peering. We were wrong.
Second, one of the attacks used a reflective approach that has yet to be
seen in 20 years. This “reflect from the inside out” type shows
creative thinking and planning behind the attack. Some explanation of
this reflection technique is in the supporting documentation.
Finally, Shodan [1] and Shadowserver [2] illustrating +300K BGP port 179
scan successes. Assume each ASN has a minimum of two BGP sessions. That
would be +150K BGP sessions. That is a lot of “telecom-wide” -
“Internet-wide” disruption. Think through the implications of a BGP
session attack combined with other attacks. Think of what would happen
with BGP sessions flapping all over the world.
Attacking BGP Sessions with low-level DDoS is one of the “scenarios”
that could lead to "Internet chaos.” Think hundreds of BGP sessions
flapping all over the Internet.

ASKING FOR HELP TO MINIMIZE “INTERNET CHAOS”

The FIRST community traditionally takes action to minimize risk to our
constituents. We’re asking FIRST members to alert their constituents
to the BGP Session Risk, use reports from Shadowserver to track the
progress, and help those organizations who need help deploying the BCPs
for BGP Session resiliency.

SUPPORTING MATERIALS

We have a library of supporting materials to help FIRST Members craft
advisories and alerts to their constituents. FIRST NETSEC SIG has help
reviewed and crafted these supporting materials. NETSEC SIG will be
helping any member who have questions. As mentioned, we assumed that
secure BGP sessions were a BCP. Operational Entropy is opening an
unexpected risk.

FIRST Members will be round one of an October 2023 campaign to minimize
our potential risk. Details are in the BGP Session Security Campaign
Strategy. [3]
Evaluate the potential BGP Session DDoS Risk with two reports. These
illustrate the potential risk.

*
Shodan’s BGP Report [1] - This has been active for a while and
provides “Internet risk” zones. Organizations who subscribe to
Shodan can get more details on their ASNs.

*
Shadowserver started scanning for the BGP Session risk and now posts on
their vulnerable BGP session dashboard [2]. Shadowserver now includes
two new BGP Session reports as part of their free Cyber Civil Defense
Reporting. These are the Accessible BGP service [4] and the Open BGP
Service [5] reports.

NOTE: National CSIRT/CERT Teams who receive Shadowserver’s summary
constituent report can use those to measure the risk with Constituents.
This could focus on a country, critical infrastructure, or a domain
(i.e., a government domain).
Protect your BGP Sessions from DDoS Attacks [6] This is the original
blog by Barry Greene a week after the attacks and the Shadowserver scans
confirmed Shodan’s reporting.
Advisory to FIRST Community - BGP Port 179 DDoS Risk Or How to cause
unprecedented global chaos this week. [7] FIRST NETSEC SIG [8] all
consulted to craft up a guide for the FIRST community. This document
will be TLP: CLEAR and will be updated as questions are asked and more
insight is gained.
Protecting BGP Sessions - Step-by-Step Guide to Prevent an Easy DDoS [9]
- a guide Barry Greene crafted with several other operators to help our
peers deploy BGP session security essentials. This document will evolve
into a video the week of October 16th.
BGP Session DDoS Attack CVSS [10] - The NetSec [8] Team suggested we do
the CVSS. This is a team walkthrough using CVSS 4.0.

WHAT IS THE ROOT CAUSE OF THIS BGP SESSIONS SECURITY RISK?

We have an Operational Entropy problem. BGP Session security BCPs were
worked on 25 years ago. IETF RFCs were written. Vendors deployed code.
Operators crafted architectures to minimize the risk. Features were
deployed on the BGP sessions. We should not have +300K BGP port 179
sessions potentially at risk.
We do now. It is a classic problem of entropy. Best Practice checks are
required to ensure we don’t forget the BGP security essentials. New
generations of operators need training to understand these BGP security
essentials. Organizations that issue security certifications and cyber
insurance carriers that provide liability insurance are missing risk if
they do not check for BGP Security Essentials.

Barry Greene
FIRST Liaison



Links:
------
[1] 
https://www.shodan.io/search/report?query=product:bgp+port:%22179%22&title=BGP%20Usage%20Report
[2] 
https://dashboard.shadowserver.org/statistics/combined/tree/?day=2023-06-28&source=population&source=population6&tag=bgp&geo=all&data_set=count&scale=log
[3] 
https://docs.google.com/document/d/1C0OO0en9gNlyzZgKm39ursjqT6xxZGm56ze6toLi6To/edit
[4] 
https://shadowserver.org/what-we-do/network-reporting/accessible-bgp-service-report/
[5] 
https://shadowserver.org/what-we-do/network-reporting/open-bgp-service-report/
[6] https://www.senki.org/protect-your-bgp-sessions-from-ddos-attacks/
[7] 
https://docs.google.com/document/d/1oDD5-qlu0rlHUtjNZHKrfdug99ynSXHc2vdHPktTFH4/
[8] https://www.first.org/global/sigs/netsec/
[9] 
https://docs.google.com/document/d/13GoLbWmeypFerOJCh5Dp4-KcMu4BArXJP33PfYJcfS8/
[10] 
https://docs.google.com/document/d/16sWvRSzE8htOSLurUaz5ROXtjQHqRpc18WfI-8szVug/

-- 
--
Carlos Martinez-Cagnazzo
LACNIC



Más información sobre la lista de distribución LACNOG