To the collection of BGP vulnerabilities — how the Kirin attack works

A bit of context

The BGP dynamic routing protocol appeared in the eighties and has hardly changed since then. Many experts note that it poorly copes with modern loads, as it was originally designed to work in much smaller networks [indirectly confirming this point of view is the fact that BGP was written by the authors during lunch on two napkins]. It is not surprising that information security specialists regularly record incidents related to it, affecting the infrastructure of large cloud providers, telecom companies, and entire countries.

For example, in 2020, a major American provider made a mistake when updating the BGP configuration. In an attempt to redistribute traffic from one of the backbone channels, engineers accidentally deleted the settings responsible for route filtering. Part of the network collapsed, and for half an hour, major social networks and online services were unavailable.

In addition to configuration difficulties, over time, the BGP protocol has accumulated problems from an information security perspective. Just last year, researchers discovered a series of vulnerabilities related to the processing of BGP messages: CVE-2022-40302, CVE-2022-40318, and CVE-2022-43681. Each of them was assigned a danger level of 6.5 on the CVSS scale. Attackers could send specially crafted messages that did not pass the protocol's correctness check. As a result, current BGP sessions were terminated, and requests went unanswered, creating conditions for DoS.

And just recently, a group of engineers at the IETF conference talked about a new type of attack on the BGP protocol — Kirin (the name should not be confused with the eponymous chipsets).

How it works

The Kirin attack is aimed at overloading routers. It uses a huge number of IPv6 routes, which attackers spread through Internet exchange points (IXPs) to fill the memory of victim routers. Once their tables are filled to the limit, the devices start dropping traffic or shutting down. Most routers can store millions of routes, but under overload conditions, even high-level routers fail to cope with their work.

The attack is particularly dangerous due to its distributed nature — Kirin uses thousands of connections, allowing attackers to bypass traditional protection mechanisms (such as route limits or failure filtering). Moreover, thanks to the relative availability of virtual servers, the infrastructure needed for the attack can be deployed at minimal cost and on legitimate AS.

To counter such attacks, APNIC registry specialists recommend that network operators monitor the size of routing tables and set prefix limits based on previous days' statistics. Monitoring abnormal network behavior will help detect mass announcements of new prefixes. Information security specialists have also presented an open source implementation of a possible protection mechanism.

Reconsider network architecture

Throughout the existence of BGP, modifications have been made to close a number of vulnerabilities. However, by solving one problem, these solutions often created two others. For example, the BGPsec extension prevents route hijacking by replacing the traditional AS_PATH with an attribute with digital signatures. But additional cryptographic operations increase the load on routers, which slows down packet processing.

Today, in the IT community, one can find the opinion that it is impossible to endlessly improve BGP. Therefore, projects are emerging whose authors call for reconsidering the architecture of the Internet and replacing the protocol with a new solution.

One of them is MobilityFirst, an experiment to create an internet architecture from scratch, optimized for mobile and wireless devices. The main components of MobilityFirst include global unique identifiers (GUIDs), which are self-certifying names based on public keys for objects connected to the network. Plus, delay-tolerant and storage-aware routing (GSTAR) is applied, which helps to cope with the instability of wireless connections and temporary communication disruptions. This separation between names, identifiers, and addresses should theoretically provide seamless secure communication for mobile devices.

Another example is NEBULA. The project is based on the hypothesis that cloud computing will become the leading technology in the future. The main goal of the solution is to develop fault-tolerant and highly available network services that support traffic routing over multiple independent paths. The NEBULA architecture includes three components. The first, NCore, is responsible for routing and ensuring communication between data centers. The second, NDP, is a managed data plane that enforces network policies, increases accountability, and supports route authorization. The third component, NVENT, dynamically manages network configuration, allowing the solution to adapt to different types of networks.

Another architecture is SCION, which we have already mentioned in our blog. Unlike BGP, where end hosts do not control the packet transmission route, SCION provides the sender with full control over the path the packet takes to reach its destination, using a system of beacons and segments.

Beacon servers generate and collect data necessary for forming routes between autonomous systems (AS) and isolated domains (ISD). User traffic management is carried out through the data plane. Important route information is contained in the SCION packet header. The forwarding process is similar to the approach proposed in the LISP protocol (RFC 6830). Notably, the implementation of SCION does not require changes to the current infrastructure of internet providers. Packets are easily encapsulated in any local forwarding structures, such as MPLS.

Despite the apparent variety of solutions, it is difficult to predict what the architecture of the internet of the future will be. Within the framework of MobilityFirst, which is in the transition stage from prototyping, tests are being conducted at several universities, including MIT and the University of Michigan. The further development of the architecture will depend on the success of field experiments. In parallel, SCION is already being implemented within the Swiss financial infrastructure, which unites banks working with Swiss francs.

What else we write about in our blog:

• More than Quagga — FRRouting package. Our compact material dedicated to the operation of FRRouting software. We tell you what's "under the hood", what Quagga has to do with it, and what the IT community thinks about FRR. In particular, some experts note features that may cause inconvenience in work.

• Viral mailings and internet from the cartel: strange "services" of Korean ISPs and more. One Korean provider infected customers' devices with a virus. Thus, he decided to fight the spread of services based on the p2p protocol. At the same time, in Mexico, the main telecom operator in the region became a local criminal group. Under the threat of reprisal, the attackers forced the residents of the country to use their services. We discuss these and other unusual stories from the world of internet infrastructure.

• The smallest open source switch — how it works, what it can offer, opinions and some alternatives. We talk about the mrxSwitch device, which is suitable for use in consumer electronics. It was developed by a team of schoolchildren to participate in robotics competitions and transferred to open source. In our material, we look at the component base of the switch, discuss community opinions, as well as some similar projects.

• Starving data centers and blackouts: how to solve the problem of lack of electricity for IT infrastructure. Data centers consume more and more electricity, but there are not enough sites for the construction of new data centers. The reason is the high cost of land plots that meet the requirements of operating companies, as well as the intensive development of artificial intelligence systems, which require 30 terawatt-hours annually. In the article, we discuss possible solutions to the problem and the impact of blackouts on the global infrastructure.

• Cloud providers in the spotlight of Western regulators — focus on commissions and working with AI systems. Our compact overview of the decisions of global regulators regarding the work of service providers. They are increasingly opening antitrust investigations and paying attention to commissions for transferring data between clouds. We discuss the reaction, community experience, and how AI systems fit into the overall picture.