CAPEC-584: BGP Route Disabling
An adversary suppresses the Border Gateway Protocol (BGP) advertisement for a route so as to render the underlying network inaccessible. The BGP protocol helps traffic move throughout the Internet by selecting the most efficient route between Autonomous Systems (AS), or routing domains. BGP is the basis for interdomain routing infrastructure, providing connections between these ASs. By suppressing the intended AS routing advertisements and/or forcing less effective routes for traffic to ASs, the adversary can deny availability for the target network.
Last updated
Overview
CAPEC-584 (BGP Route Disabling) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- The adversary must have control of a router that can modify, drop, or introduce spoofed BGP updates.The adversary can convince
Resources required
- BGP Router
Consequences
What a successful CAPEC-584 attack can achieve.
Other
Affects: Availability
Disabling a network route at the routing infrastructure level denies availability of that route.
How to mitigate it
Defenses that reduce the risk of CAPEC-584.
- Implement Ingress filters to check the validity of received routes. However, this relies on the accuracy of Internet Routing Registries (IRRs) databases which are often not well-maintained.
- Implement Secure BGP (S-BGP protocol), which improves authorization and authentication capabilities based on public-key cryptography.
Examples
Blackholing: The adversary intentionally references false routing advertisements in order to attract traffic to a particular router so it can be dropped.