Cisco: 6 best practice security tips for BGP

As we all know, in today’s digital communication world, there is a very big possibility that your network is or was target for a malicious activity. BGP is one of the most targeted routing protocols when we are talking about network attacks.Why? This is quite simple. BGP is your connection to the exterior world (peer networks, Internet and everything which is outside your LAN/MAN), so it is somehow normal to be the main target of the conducted attacks. If in case of the WWW, DNS, E-mail services we can say that maybe an attack was not intentionally made (e.g. a user got infected with some trojan/malware/botnet tool that is attacking random destinations), in the case of BGP, you can be 90% sure that this is an intentionally conducted attack. The main scope of a BGP attack is to flood the network with false information (e.g. false network prefixes) in this way trying to direct interesting traffic to special destinations where this can be sniffed and decoded.

I will present here 6 tips that I’m using the most to protect BGP against malicious information. This is really easy to implement, if you have any basic idea about how to configure BGP protocol, but it can save you from hours of troubleshooting and investigation.

1. Limit the maximum number of prefixes that you learn from BGP peer, to avoid overload of your machine.
2. Deny updates that include a private AS number in the AS Path (64512 – 65535).
3. Use ACLs on your external interface to permit input/output BGP packets only from your defined source and destination
4. Limit TTL in BGP packets to limit the communication only with next-hop peers.
5. Use a password  to authenticate peer neighbors.
6. Limit the maximum length of  the AS path

Also here I would like to mention, not necessary as a security tip, but more like a best practice,  enable when it is possible logging. This can help you to observe some strange behavior that occur on your machines where you are not arround them.

There is no topology present for this tutorial, but we will assume that we have a point-to-point serial connection between 2 routers, R2 (10.0.23.2) and R3 (10.0.23.3). Please click the image below to view the tutorial:

BGP Security tips

If for some reasons the tutorial above is not available for you, please check this text file which present in text mode everything  needed to implement BGP security tips presented above.

How to force Loopack interface to be advertised with a /24 netmask

Many of you already know that usually when you advertise a Loopback interface into OSPF it is advertised with /32 netmask (one IP address) even if the IP address under Loopback interface is with a /24 netmask. If you checked my previous post, you’ll see at the end that I’m right, and the Lo0 address is advertised with /32 netmask.

But what if you have to advertised as a /24 subnet (task require or some testing) ? There is “dirty little trick” to do it. I will use the same topology and design like in the post before. If you do no have the topology please download it here.

Watch the movie: