BGP Security
BGP is a critical component of the internet, bring BGP down and you bring the internet down or at least large portions of the internet. The problem is that BGP is highly vulnerable to many types of attacks for its implementation.
BGP runs over TCP on port 179 and inherits all types of TCP common attacks like replay, man-in-the-middle or DOS attacks. Also BGP is an application has its unique set of attacks against its implementation and messages.
If you want to know how sever an attack against BGP can be check out the six worst internet routing attacks.
A lot of efforts and projects is currently going to solve those known vulnerabilities of BGP and to provide more secure and stable internet. Some of them are hold by governments, research centers or even internet communities. The secure BGP project (S-BGP) and (SO-BGP ) are examples.
However, to be realistic none of these is going to be widely implemented or deployed soon and I believe it will take years from now to have such transition. unfortunately until we see that day of the S-BGP or something else like that we have to harden our BGP peering sessions ourselves.
Below are some tips
- First of all harden your router. Make sure no unauthorized on can ever gain access to your network equipment or you may easily find yourself the source of the next internet attack.
- Make sure your addresses allocation information, peering information, passwords, etc is updated in the internet registries databases. Some Tier1 providers use this information to enforce security policies.
- Always use MD5 authentication for establishing your peering relationship sessions. This will protect you against most of TCP attacks or at least makes it a lot harder for the attacker.
- Always be specific in your routing policies. Make sure you are accepting and advertising the right information through hard coded routing policies and never leave it to chance.
- Make sure that your are receiving and advertising what you expect specially from your customers. You can also use features like maximum prefix limits and maximum AS-Path limits which will protect you and your customer speacially from human mistakes like your customer makes him self transient when multihoming.
- Finally do your normal housekeeping. Keep your eye on your BGP, use logging and monitoring tools and be proactive for any abnormal behaviors or statistics related to your internet routing.
Happy Networking :)