< Home

BGP/BGP4+

Attack Behavior

  • DoS attack

    Attackers can send various types of packets to attack switches. If the packets are multicast protocol packets or are destined for an interface (including the loopback interface) on the switch, the switch directly sends these packets to the CPU. As a result, CPU and system resources of the switch are wasted, and a DoS attack occurs.

  • Construction of error Border Gateway Protocol (BGP) packets

    Attackers construct packets with ultra-long AS_paths to attack the switch.

  • Quintuple attack

    Using TCP as the transmission protocol, BGP considers a packet valid as long as the source address, destination address, source port, destination port, and TCP sequence number of the packet are correct. Most parameters in a packet, however, can be easily obtained by attackers.

  • Generalized TTL Security Mechanism (GTSM) attack

    An attacker simulates real BGP packets and keeps sending them to a switch. The switch becomes extremely busy in processing these attack packets, causing a high CPU usage.

Security Policy

To defend against the preceding attacks, configure the following security policies on a switch:

  • CPCAR

    After a BGP session is created, a whitelist is delivered. The application layer association module detects protocol packets sent to the CPU. The packets matching the whitelist are allowed to be sent using high bandwidth at a high rate. The packets that do not match the whitelist are sent using default bandwidth at the default rate to prevent DoS attacks. In addition, CPCAR is applied to the interface to limit the rate at which BGP packets are sent to the CPU. This ensures that the CPU is not attacked and the network is running properly.

  • Limitation on the number of AS_paths

    When BGP receives a route, it checks whether the number of Autonomous System (AS) numbers in the AS_path attribute exceeds the threshold. If yes, the switch discards the route. During route advertisement, the switch also checks whether the number of AS numbers in the AS_path attribute exceeds the threshold. If yes, the switch does not advertise the route, defending against maliciously-constructed error packets with extra-long AS_paths.

  • BGP MD5 authentication and BGP keychain authentication

    Apply MD5 or keychain authentication between BGP peers to reduce the possibility of attacks.
    • The MD5 algorithm is easy to configure and generates a single password which can only be changed manually. For high security, do not use MD5 authentication.
    • The keychain algorithm is complex to configure and generates a set of passwords. Keychain authentication allows passwords to be changed automatically based on configurations. Therefore, keychain authentication is applicable to networks requiring high security.

  • BGP GTSM

    To protect a switch against the attacks of forged BGP packets, configure GTSM to check the TTL value in the IP packet header. Based on networking conditions, GSTM can permit or discard packets with TTL values beyond the specified range. When the default action on packets is set to drop, set a proper TTL value range according to the network topology. Then packets with TTL values outside of the specified range are discarded.

Configuration Method

  • Modify the CPCAR value of BGP packets.

    Improper CPCAR settings will affect services. If you need to adjust CPCAR settings, contact technical support personnel.

    Change the rate at which BGP packets are sent to the CPU to 64 kbit/s.

    <HUAWEI> system-view
[HUAWEI] cpu-defend policy 1
[HUAWEI-cpu-defend-policy-1] car packet-type bgp cir 64
[HUAWEI-cpu-defend-policy-1] quit
[HUAWEI] cpu-defend-policy 1 global
[HUAWEI] cpu-defend-policy 1

  • Set the maximum number of AS numbers in the AS-Path attribute.

    Set the maximum number of AS numbers in the AS-Path attribute to 200.

    <HUAWEI> system-view
[HUAWEI] bgp 100
[HUAWEI-bgp] as-path-limit 200

  • Configure keychain authentication.

    Configure keychain authentication named huawei for BGP peers.

    <HUAWEI> system-view
[HUAWEI] keychain huawei mode absolute
[HUAWEI-keychain-huawei] key-id 1
[HUAWEI-keychain-huawei-keyid-1] algorithm sha-256
[HUAWEI-keychain-huawei-keyid-1] key-string cipher Huawei@1234
[HUAWEI-keychain-huawei-keyid-1] quit
[HUAWEI-keychain-huawei] quit
[HUAWEI] bgp 100
[HUAWEI-bgp] peer 10.1.1.2 as-number 200
[HUAWEI-bgp] peer 10.1.1.2 keychain huawei

  • Configure BGP GTSM.

    Configure GTSM for BGP peers.

    <HUAWEI> system-view
[HUAWEI] bgp 100
[HUAWEI-bgp] peer 10.1.1.2 as-number 200
[HUAWEI-bgp] peer 10.1.1.2 valid-ttl-hops 1

    Set pass in the gtsm default-action { drop | pass } command or run the undo gtsm default-action drop command to permit packets that do not match the policy, or set drop in the gtsm default-action { drop | pass } command to drop these packets. You can enable the log function using the gtsm log drop-packet all command to record information about the dropped packets.

Parent Topic: Routing Protocol Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >