Subscribe
Share
Share
Embed
Threat Talks is your cybersecurity knowledge hub. Unpack the latest threats and explore industry trends with top experts as they break down the complexities of cyber threats.
We make complex cybersecurity topics accessible and engaging for everyone, from IT professionals to every day internet users by providing in-depth and first-hand experiences from leading cybersecurity professionals.
Join us for monthly deep dives into the dynamic world of cybersecurity, so you can stay informed, and stay secure!
Recently, a research paper introduced an attack
that could potentially break
down the whole internet.
In today's episode of Threat Talks
the Deep Dive, we dive deep into BGP
Vortex, the attack that could
potentially break down the internet.
Let's get onto it. Welcome to Threat Talks.
Let's delve deep into the dynamic world
of cybersecurity.
With me today is Eric from AMS-IX,
network engineer there.
Welcome, Eric. Yeah.
Thank you Rob.
And, my name is Rob Maas,
Field CTO at ON2IT.
Before we dive deep
into this whole attack,
can you briefly explain
what AMS-IX is?
AMS-IX is then short for
Amsterdam Internet Exchange.
So we are an internet exchange
and what internet exchange
is, is a platform for internet service
providers who providing content
services on the internet to interconnect.
It's different than the
internet service provider.
Because, we’re working
mostly with, let’s just
say B2B internet company and
the primary function is for people
to interconnect and exchange
traffic to each other.
Just think about your
your router at home.
Right. So, your router at home,
if you have your router at home,
you can connect things, a laptop,
PC or so, through that router
and then exchange the traffic locally.
We are that, but on a much bigger scale.
Okay.
Yeah, it's as simply,
you can put it like that
because, imagine if one company
in the Netherlands
want to exchange to internet traffic
with another company in the Netherlands
then they can directly connect.
But then if you have many companies
in the Netherlands
who want to exchange traffic,
and then if you build like
a direct connection
between those companies,
then you have sort
of a massive connection.
It's not really convenient
and sometimes it's very
expensive to set it up.
You're more or less the central hub
that you can use to quickly connect.
That's correct.
So basically, if you connect
to AMS-IX, with one single
connection, you are able
to exchange traffic
to many, many members
on the platform.
Okay. Yeah.
Maybe also already a nice bridge.
Because the next thing, of course,
we dive into here is BGP.
Yeah.
Can you explain what BGP is?
BGP is short for Border Gateway
Protocol, it is the primary protocol
for internet service provider
who run network to exchange
what are called the network layer
reachability, NLRI, between the network.
So, the internet, I mean,
for a lot of people
say that, okay, you pick up your phone
and then you get on the internet, right?
But then what you have accessed
is the media, the content
on the internet and underneath is the
whole infrastructure for the internet to run.
Right.
So from the perspective
of a network engineer,
we see the internet is a
network of network and
all the network are
interconnected to each other.
Yeah.
So, to make it maybe even
more clear, let's assume
we are both an internet provider. Yeah.
Then we support a lot of
networks, each on our own.
And BGP is there if
I want to tell you
what networks I have behind me
and you can tell me your networks.
That is correct.
So, what BGP exchange
is in the basics,
is what we call the IP address
prefixes. So and then
now, we should understand the concept
of autonomous system number.
So for every service provider,
who run the
infrastructure on the internet
to provide services,
then normally they have their own
autonomous system number.
And that is being assigned by
the regional internet registry.
Like here in Amsterdam, we are hosting
the European and Middle East in one, RIPE NCC.
It's in Amsterdam.
Okay and that means that every
autonomous system is
unique in its number.
Yeah, yeah, it's, I mean, it's
similar to the KvK number here.
You know, if you want to run a company,
you know, official business,
not anything shady, then you need
to register with the Chamber of
Commerce for a KvK number.
It's just like that for
the autonomous system.
Right.
So you are being assigned
a unique number,
and it can only be used by your
network, because it's being registered
internationally, with the internet registry.
So if I go back to the example I just
described, that we are both an ISP.
We probably have registered
our unique number. Yes.
And if we know each other's number,
we can send each other updates.
The number. Yes.
The number is just like, okay...
The IX number is just to identify
the network and within the network
underneath is then they also need
to register their IP prefixes.
Yeah. That's what we will be exchanging.
Yeah, that is correct.
So yeah. How do I ...
Let's say it's just like postcode, right?
Amsterdam is supposed to have a
different postcode range compared to Utrecht, yes.
So zipcode. Yeah.
And then after that, you have like a specific
address for your house, asside from that.
Yeah.
So what we will be exchanging
in that example is,
we need to know each
other’s numbers to know,
okay, I'm communicating
with this [ ] number.
But then I will send-
And prefix, IP prefix.
Okay.
So that combination that
will identify the destination.
You can send the traffic to.
Okay.
Because at the end of the day,
you need to know how to send the packages
from one point to another point. Right.
Okay.
So that make the internet work.
Yeah.
Yeah okay.
So BGP is there to exchange
all this information
to make sure all these networks
can eventually talk to each other.
Let's move on then
to the BGP Vortex.
That's what the research
paper was about. Yes.
Can you explain a bit
how that works?
So, I didn’t read the paper in full, but I looked
at the presentation that the researcher did.
What the Vortex does is, it uses
a feature from the BGP updates
in order to trigger a condition
when the upstream provider just,
they register the route and
then they take it away.
Right?
So it's just like an oscillation.
Yeah.
So for instance, imagine if you’ve
used navigation, the Google Maps.
Yeah. Yeah.
To get to your destination, right?
And then because of a
roadblock it's a [ ] route.
But then suddenly it's just showing
you another route, continuously
Constant updates. Constant updates,
something like that.
Then there must be something
wrong with system.
It's somewhat similar.
It's not exactly the same, but you just create a condition
from the downstream, to the upstream.
And now, I also need to
go back a little bit about,
how the commercial, actually,
relation in the internet is. So.
For the network because, for instance,
one network in Netherlands. Right.
Want to toggle the network in the US
or in Hong Kong or elsewhere in the world.
I mean, what they can do is, yeah,
obviously they can run a direct connection
from Netherlands to the US,
but that's never happened.
It's unlikely because internet,
there's a connectivity map.
It's very expensive. Right.
So that network for Netherlands,
have to rely on what we call
the transit provider. Right.
And then the transit provider say, okay,
I will advertise your prefix
from your network and I will carry
the traffic over to the global internet.
Okay.
So basically the network
from the Netherlands,
in the example is the downstream,
for the upstream provider.
Yeah.
So say for instance, I don't know what
internet provider you are using?
I'm using Freedom.
Oh, good.
Yeah.
So Freedom.
Freedom is, well, it's an
internet provider here. [ ]
So, they have to rely on their transit
provider, a bigger network, let's say,
Deutsche Telekom, for instance,
or KPN or so.
To carry the traffic from the customer
to the international market. All right.
So basically, let's go back
to what BGP Vortex is.
What happened is, in that scenario,
is one downstream customer.
They connect to three upstream AS’s.
Yeah.
And then from their BGP
router they send update
and that update contains two things, from what
I understand from the paper, is what they call the
BGP communities. Okay.
And what is a BGP community?
It’s just like, something that
you attach to the BGP update
to tell the upstream customer, okay,
this is how I want you to treat my prefixes.
Is this kind of setting, hey, this is
the priority you give to my prefixes?
Yes. Something like that.
So for instance, well,
if you send a package
just by a PostNL or DHL,
you can have option to put
hey, I want to put a priority
tag on my package, right?
It is something similar.
So you have to tell to
the upstream, with the BGP
communities, to see how
they treat your prefixes.
Okay. Yeah. So there are two communities
that the researcher inserted in the...
One is to lower what they
call the local preferences.
So, just how to, the upstream is like,
okay, don't prioritize my prefixes.
Yeah. [ ] the rest. Yeah.
So your router should not
use the route towards me.
Yeah.
And the second thing is like
no export community.
So no export community then,
they tell the upstream, don't export
my community to your peers.
Simple.
And then, people who
probably want...
Put the link to the presentation
from there, so people can get it.
I don't want to explain too much in that.
But then basically they send
the update with those two community,
to the three upstream provider
and create a confusing situation.
Yeah, it's going to update itself.
Getting in [ ].
So basically the upstream one say
okay, I received this route.
Then I don't export it to the upstream two. And upstream
two does not the export to upstream three.
But then again because of the
other update, it just confused
the routers from the upstream provider
and creating a sort of an
endless loop of BGP update.
And that will amplify. It’ll just amplify.
And then in the end it will fall down
or break down because the resources-
- are depleted.
Yeah. Because basically, BGP is an application
that is really CPU intensive.
Okay.
And if I'm an attacker
and I want to pull this off.
So I want to send this update
to an upstream provider,
and I want to include this BGP
community, for example.
What do I need to pull this off?
Do I need to have access directly
or can I pull this off externally?
I mean, if you get a, let's say
if they want to induce it, then let's say
if a bad actor get a hold of a legitimate downstream client.
Okay, I already need to be on a client.
Yeah.
So if they have access to the BGP browser
from the client, they can configure
this kind of update in the
downstream client, BGP routers.
All right.
But then, here's the, where it's...
I personally don't think this would be,
would break down the whole...
because one of the conditions.
[ ] condition is, the upstream provider
have to honor those communities.
Right. And probably in
the realistic scenario,
it is not... Normally not configured
to accept the incoming change on the BGP
community. Yeah, because for the
upstream providers, they cannot really say,
by default, accept those community.
They have to have a policy
tool inspect it in order to
accept it or not.
So, I talked to Stavros, one of my
coworkers, who said that even sometime
the lower local preference community,
which is a well known community
and some of the vendor they just say
by default, I don't accept that.
Okay.
Because it could create
some unwanted consequences.
So you need to, from the upstream provider
perspective, you need to switch that on.
Okay.
And that is a nice bridge to
the next question I had is
how can we prevent against this?
So disabling some of the
communities might help.
Are there other things that we
might be able to do to prevent
this malicious update from being
received and being processed?
Yeah. So, I mean, the downstream client,
let's say, if they get.. they can become malicious
and then they want to trigger
the kind of condition. Right.
So, but then they need
to send the prefix to upstream.
And the upstream have all the
mechanism on the tool in
order to inspect and see that, okay,
whether this is acceptable or not.
So it's not by default.
Yeah.
I mean, if the upstream don't do that,
if the transit provider
don't do that, then it could
create a lot more problems.
So it's like by accepting like
those type community by default,
it's like you're leaving your router at home, but,
you know, so the password of your router at home
is the default password.
Yeah, is it fair to say that
that maybe problems that
we had in the past with BGP
that already led to an optimization
of the configuration
that most of these routers are also already
quite protected against this attack?
Yeah.
I mean the BGP protocol and the BGP
protocol deployment within the internet is
it has been for at least 30 years or already.
So operator has all kinds of
of lesson learned and mechanism
in order to prevent it from happening.
And, one of the effects of the amplification
is it could break down the BGP
route, CPU, and it could overload it.
But, right now,
if you're talking about the core
of the internet, of the backbone
and those hardware really powerful, it can handle
this kind of update amplification easily.
Yeah.
So it's not likely to happen with
at least not with these modern routers.
Yes, yes. Okay. Yeah.
And that's also fair that you say
because BGP has a history
of being quite resource intensive on CPUs.
I also want to bring forward here that in the research
they only tested this with limited hardware.
And I believe with a virtual router.
Yes. To test the exchange and if
they could trigger this Vortex.
Yes, that's correct.
That's correct, yeah.
Okay.
So, but in the unlikely event that,
I am at a downstream client,
and I want to send this
malicious update to
trigger this Vortex upstream.
If I'm successful at that,
will it then cripple
the whole internet, or will it be
localized to this upstream...
No, I think it would be somewhat
limited, it will be localized.
Also you have to, because,
when the Vortex happened,
what they describe in paper is like,
it is purely theoretical.
Right. And then in practice, the upstream provider,
they definitely they monitor the network.
And if they see these kind
of things happening, then,
they can shut down
the session, immediately.
Just the BGP session. Yeah.
Okay. Yeah. Because, I mean, we,
at AMS-IX we don't, we will not
interfere with direct BGP
peering between our members.
That is just between members.
But then sometimes, our network
operation also receive question.
Hey, why do I receive this
many BGP update from this peer?
And we say, well, you need to contact
them to see what is going on.
We are not managing them.
Yeah that that might be good
to put it in perspective,
what AMS-IX is doing and
what their members are doing.
So AMS-IX is more the network connectivity.
So Layer two connectivity and then
the members, they can exchange
BGP information and they need to
make sure they are protected
on the configuration level that
they won’t cause this Vortex.
Let's say it’s like this,
the analogy of AMS-IX is
is like, okay we’re just like a
conference room provider, right?
So we provide conference room,
we rent out conference room
so people can come there
and then do the talk.
We don't interfere with
what they are talking [about].
We just provide the rooms
and where for people to meet.
That’s something that we ...
Okay. That makes sense.
That puts everything, I think,
really in perspective.
I think that already brings us
to the end of this recording.
So BGP is, the BGP Vortex
is in theory possible.
But because most of the upstream,
providers are already having
all kinds of measures in place,
to prevent not only this attack,
but also others. It's highly impractical.
Given the existing controls. Yeah.
So, I mean, in conclusion, they have
a mechanism to control it.
They have the, I mean,
talking about network operator.
Right.
They have experience dealing
with this because, well,
the whole global internet
is a very dynamic environment.
Right.
So, if we talk about prefix update, BGP update,
happening in the global internet, it happens daily.
Sometime like you have outages and then
somebody pulls like 100s or 1000s of...
You need to be propagate
to the internet.
So yeah, I mean, a massive BGP update is
nothing new for the network operator.
And then they have experiences
to deal with that,
they do have the monitoring system
to deal with that.
And now more and more they have
automation to deal with that. Okay.
So if they even see already something that might
look like the BGP Vortex initiating. Yeah.
Then they already cut it off
or they simply drop it or whatever
they do, at least they prevent themselves.
Okay.
That brings us to an end of this episode.
So thank you, Eric.
And, thank you to our listeners.
I hope that you like what you saw.
So please click like and subscribe,
and I hope to see you next time.
Thank you.
Thank you for listening to Threat Talks,
a podcast by ON2IT cybersecurity and AMS-IX.
Did you like what you heard?
Do you want to learn more?
Follow Threat Talks to stay up to date
on the topic of cybersecurity.