Computer Network 15 | BGP Hijacking Project
1. BGP Hijacking Demo
$ sudo pip install --upgrade pip
$ sudo pip install termcolor
Then for the file bgp.py, replace line 87 of,
routers.append(self.addSwitch('R4'))
to,
self.addSwitch('R4')
Open a second terminal, we will use this terminal to start a remote session with AS1’s routing daemon,
$ ./connect.sh
Then enter the password for the VM and the quagga password en to access the administration shell and R1 routing table. When we get the prompt bgpd-R1>, type in the command sh ip bgp for the BGP table
bgpd-R1> sh ip bgp
BGP table version is 3, local router ID is 9.0.0.1, vrf id 0
Default local pref 100, local AS 1
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 11.0.0.0/8 0.0.0.0 0 32768 i
*> 12.0.0.0/8 9.0.0.2 0 0 2 i
*> 13.0.0.0/8 9.0.0.2 0 2 3 i
Displayed 3 routes and 3 total paths
To test a BGP hijacking process, open a third terminal to setup a web server in AS3,
$ ./website.sh
Then open a fourth terminal to start a rogue AS (AS4) connecting directly to AS1 and advertising the same 13.0.0.0/8 prefix.
$ ./start_rogue.sh
To stop the attack, we can use the following command in the fourth terminal,
$ ./stop_rogue.sh
2. Code Architecture
Zebrais a multi-server routing software which provides TCP/IP based routing protocols.Zebrahas been decommissioned andQuaggais the latest forkbgpdis a routing component that works with the Quagga routing engine.-f: set the bgpd config file-d: runs in daemon mode, forking and exiting from tty-i: the pid-file path where process identifier is written to
getIP()
Given a host name
h1-1, map it to11.0.1.1/24.Given a host name
h2-1, map it to12.0.1.1/24.Given a host name
h1-2, map it to11.0.2.1/24.
getGateway()
Given a host name
h1-1, map it to1.0.1.254.Given a host name
h2-1, map it to2.0.1.254.Given a host name
h1-2, map it to1.0.2.254.
startWebserver()
Execute webserver.py with message text on a given node. This function is called twice with different messages,
on the legit webserver
on the malicious webserver
webserver.py
This is a script for starting a TCP webserver on a node at port 80. It takes one argument --text as the message in the h1 tag. By default, the message is Default web server.
connect.sh
${parameter:-word}: Ifparameteris unset or null, the expansion ofwordis substituted. Otherwise, the value ofparameteris substituted.
run.py
A simple run script used to execute a command in a node.
sudo python run.py --node R1 --cmd "telnet localhost bgpd", the command used inconnect.shto login toR1router
website.sh
A loop script curls from the webserver every second. It can be used to check if the current webserver is normal or malicious.
start_rouge.sh
The script executes run.py for the rogue AS.
stop_rouge.sh
The script kills the rogue AS by command pkill -f --signal 9 ....
3. System Design
In this project, we have to modify the BGP hijacking demo above to mock the following network.
Here we have 6 ASes. AS5 is the webserver and AS6 should be the rouge AS that will perform BGP hijacking. All the ASes advertise single prefix,
AS1: 11.0.0.0/8
AS2: 12.0.0.0/8
AS3: 13.0.0.0/8
AS4: 14.0.0.0/8
AS5: 15.0.0.0/8
AS6: 11.0.0.0/8
To design the network, we should keep the neighbour eth ports under the same subnet so they can communicate. A helpful network graph fig2_topo.pdf should be created before the implementation so that we are able to align the edges.
4. Implementation
To complete this project, we have to modify the following files,
config files under
conf/bgp.pyconnect.shwebsite.shstart_rogue.shstop_rogue.sh
Note the self.addLink, the zebra configurations, and the eth definitions should be in the same order for building the proper network.