Securing BGP Not As Difficult As Youd Think

But few service providers and organizations bother to deploy security for BGP, security expert says.

BLACK HAT USA -- Las Vegas -- The Internets Border Gateway Protocol (BGP) seems to be the new darling of hackers and nation-states, but BGP expert Wim Remes says BGP abuse is nothing new -- and securing it is actually fairly simple.
I think the biggest issue is the understanding of trust on the Internet, says Remes, EMEA strategic services manager at Rapid7. Remes says there are basic ways to lock down the security of BGP, but not many service providers or organizations are doing it.
These security technologies for BGP work very well, they are inexpensive to implement, and theres no incentive for ASN owners to implement them, says Remes, who here today outlined BGP security options in his State of BGP Security session.
But Remes says the big overarching issue today is trust on the Internet, which boiled over after Edward Snowdens leak of controversial NSA surveillance practices.
Meantime, cybercriminals as well as nation-states increasingly have abused the Internets underlying BGP traffic-routing fabric to hijack or disrupt networks for profit or political reasons. BGP can be abused via router impersonation, distributed denial of service attacks, and traffic hijacking.
OpenDNSs Dan Hubbard here this week will launch a new free tool called BGP Stream that tweets out alerts on suspicious BGP/Autonomous System Number (ASN) updates and changes so network owners, ISPs, and hosting providers can keep abreast of malicious network changes that could hijack or otherwise disrupt their traffic. Hubbard, OpenDNSs CTO, says BGP the new black in the attackers arsenal.
Rapid7s Remes recommends BGP monitoring, plus hardening BGP routers and the systems used to configure and monitor BPG infrastructure as well as strict access control to those systems.
Deploying Resource Public Key Infrastructure (RPKI) for BGP routing is another obvious security option, according to Remes. RPKI validates that route assignments came from a legitimate source rather than a malicious one, thus preventing re-routing of traffic to malicious destinations. Remes says implementing RPKI is inexpensive, and fairly simple. When a router receives updates, they are signed by local regional registries, he says.
It takes less than 15 minutes to deploy the open-source RPKI validator software from RIPE, he notes.
ISPs as well as other large organizations could adopt it, he says. RPKI provides validation much like DNSSec does for DNS traffic. RPKI also lets you create different levels of trust between yourself and your peers, he says.
BGP monitoring is another easy and useful practice, he says. The University of Colorado, for instance, gathers and monitors BGP traffic and offer a real-time stream of BGP events. Hurricane Electric runs a BGP dashboard and dataset for tracking BGP issues, and CYMRU also monitors BGP traffic.
Luxembourg-based CERT CIRCL runs the BGP Ranking project, which correlates BGP data with malicious activity such as malware and IP blacklists.
Theres more than enough BGP data available, Remes says.
So what should enterprises do about BGP security? Understand which assets you own … monitor your own ASNs, or [cloud-based ones], he says. Someone could be targeting you or your service you rely on, so it helps to track the BGP traffic, he says.
But adoption of RPKI stands at only about 7 percent, Remes says, and it wont even reach 50 percent until 2020, according to RIPE estimates. Thats not good enough, according to Remes: ASN owners should aspire to do better than that.

Black Hat USA is happening! Check it out
here
.

Last News
▸ Developing and implementing an endpoint security plan. ◂ Discovered: 26/12/2024 Category: security	▸ Negligence and glitches increase breach costs globally. ◂ Discovered: 26/12/2024 Category: security	▸ Zeus Bank Malware Spreading on Facebook. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Securing BGP Not As Difficult As Youd Think