简体繁体 English

如何缓解BGP劫持攻击？

[英]How to mitigate BGP hijacking attack?

原文 2020-03-17 03:50:05 3 1 networking/ bgp

BGP hijacking attack (ie, an adversary falsely announces a network prefix which is not owned by the adversary) looks pretty straightforward and easy to launch. BGP 劫持攻击（即，攻击者错误地宣布不属于攻击者所有的网络前缀）看起来非常简单且易于启动。

Then, is there any way to mitigate this attack?那么，有没有办法缓解这种攻击呢？ Detecting false BGP announcements is the only way to deter it?检测错误的BGP公告是阻止它的唯一方法吗？

Also, only big ASes who have the data to detect the false announcement can do the job?另外，只有拥有检测虚假公告数据的大 AS 才能完成这项工作吗？

1 个解决方案

Yes, this a bigger question than can be answered here.是的，这是一个比这里可以回答的更大的问题。

This is, of course, the problem that BGPSec and BGP Origin Validation sets out to mitigate.当然，这是 BGPSec 和 BGP 源验证旨在缓解的问题。

The IETF SIDR working group has concluded its work and the SIDROPS is working on the practical problems of deployment and operation. IETF SIDR工作组已经结束其工作， SIDROPS正在研究部署和运行的实际问题。

Why Is It Taking So Long to Secure Internet Routing?为什么保护 Internet 路由需要这么长时间？ is interesting.很有趣。 Also BGP with BGPsec: Attacks and Countermeasures .还有BGP 和 BGPsec：攻击和对策。

If ASes could "detect a false announcement" then it seems obvious that they would suppress them.如果 AS 可以“检测到虚假公告”，那么很明显他们会压制它们。 But to detect a False Announcement you need a trustworthy source of True Announcements.但是要检测虚假公告，您需要可靠的真实公告来源。 That has proved to be a Big Problem.这已被证明是一个大问题。 But it's worse than that.但情况比这更糟。 In "steady state" one can almost imagine a reasonable size database of True Routes.在“稳定状态”下，几乎可以想象一个合理大小的 True Routes 数据库。 But in response to network issues, large and small, the whole point of BGP is that new routes can be announced (including new more-specific ones), to keep the traffic flowing.但是为了应对大大小小的网络问题，BGP 的全部意义在于可以宣布新路由（包括新的更具体的路由），以保持流量畅通。 So your database of True Routes needs a separate protocol (with its own latency and trust issues) to keep it up to date :-(所以你的 True Routes 数据库需要一个单独的协议（有它自己的延迟和信任问题）来保持最新:-(

From an ISP perspective, it is true that most customers and peers announce a limited and stable number of well known routes.从 ISP 的角度来看，确实大多数客户和同行公布了有限且稳定数量的知名路由。 So precise route filtering looks like way to mitigate the threat.因此，精确的路由过滤看起来像是减轻威胁的方法。 But it's fiddly and time consuming and prone to error and adds complexity and only marginally (if at all) benefits the ISP... and is inflexible (why not just configure static routes !).但它繁琐、耗时、容易出错并增加了复杂性，而且对 ISP 的好处微乎其微（如果有的话）……而且不灵活（为什么不只配置静态路由！）。

Of course, even if a given AS is "entitled" to announce a given route, that does not guarantee they will handle the traffic "correctly" :-(当然，即使给定的 AS“有权”宣布给定的路由，也不能保证它们会“正确”处理流量:-(

[I wonder if the NetworkEngineering folk have an up to date view of actual deployment of BGPSec and Origin Validation etc. ?] [我不知道NetworkEngineering民间有高达BGPSec和原产地验证等？实际部署的日期视窗]