BGP Path Hijacking Attack inside Mininet

This is the brief summary of the Github repo: https://github.com/jl4730/BGPHijacking/, which is based on the mininet demo attack https://github.com/mininet/mininet/wiki/BGP-Path-Hijacking-Attack-Demo and a paper (https://www2.cs.arizona.edu/~bzhang/paper/07-dsn-hijack.pdf).

Part 1: What Is BGP Hijacking?

GP hijacking occurs when a malicious attackers or rogue AS advertises a false IP prefix that it does not own or control to reroute internet traffic. These vulnerabilities still cause routing disruptions and connectivity issues for individual hosts, networks, and sometimes entire countries.

BGP favors a shorter route to save money for the providers or to
decrease number of hops to an IP prefix.

For a hijack to be successful it must:
A. Advertise a shorter route of a more specific range of IP addresses that another AS already advertised.
B. Advertise a shorter route to a block of IP addresses. This can only be made by an operator of a AS, or by a bad actor that takes control of an AS.

When an attack is made, it re-routes the traffic to malicious sites to steal credentials, drops traffic to cause disruption, and/or increases latency of pages. Even though the victim AS thinks the route is shorter, the reality is that it may be a lot longer than the previous advertised routes. The best-case scenario of an attack is where the route will just increase latency and steer traffic to a much longer route, at worst case the attack may re-route to a malicious site to steal confidential information from the users.

Part 2: BGP Hijacking in the interactive Mininet

In this project, using an adaptation of an interactive Mininet project[1], we will explore some of the vulnerabilities of Border Gateway Protocol (BGP). In particular, we will see how BGP is vulnerable to abuse and manipulation through a class of attacks called BGP hijacking attacks. A malicious Autonomous System (AS) can mount these attacks through false BGP announcements from a rogue AS, causing victim ASes to route their traffic bound for another AS through the malicious AS. This attack succeeds because the false advertisement exploits BGP routing behavior by advertising a shorter path to reach a particular prefix, which causes victim ASes to attempt to use the newly advertised (and seemingly better) route.

1. Download and unzip the Project files. Modify permissions using the command:
   sudo chmod -R 777 BGPHijacking
2. In the Project Directory open a terminal and type the following command:
   sudo python bgp.py
3. After loading the topology, the Mininet CLI should be visible. Keep this terminal open throughout the experiment.
4. Open a second terminal in the Project directory. We will use this terminal to start a remote session with AS1’s routing daemon. Type in the following command:
   ./connect.sh
5. This script will start FRR, which will require access verification. The password is:
   en
   You will type in “en” and press enter. This will give you access to the administration shell and R1 routing table. When you get the bgpd-R1# prompt type the following command:
   sh ip bgp
6. You should see output very much like the screen grab below. In particular, notice that AS1 has chosen the path via AS2 and AS3 to reach the prefix 13.0.0.0/8.

7. Next, let us verify that network traffic is traversing this path. While still in the project directory, open a third terminal (keeping all other terminals open). In this terminal you will start a script that continuously makes web requests from a host within AS1 to a web server in AS3. Type in the following:

./website.sh

8. Leaving all terminals open, open a fourth in the Project directory. Now, we will start a rogue AS (AS4) that will connect directly to AS1 and advertise the same 13.0.0.0/8 prefix. This will allow AS4 to hijack the prefix due to the shorter AS Path Length type the following:
./start_rogue.sh
9. Return to the third terminal window and observe the continuous web requests. After the BGP routing tables converge on this simple network, you should eventually see the attacker start responding to requests from AS1, rather than AS3.

10. Additionally, return to the second terminal and rerun the command to print the routing table. You should now see the fraudulent advertisement for the 13.0.0.0/8 prefix in the routing table, in addition to the longer unused path to the legitimate owner.

11. Finally, let’s stop the attack by switching to the fourth terminal and using the following command:
./stop_rogue.sh
12. You should notice a fast reconvergence to the original legitimate route in the third terminal window, which should now be delivering the original traffic. Additionally, you can check the BGP routing table again to see the original path is being traversed.