北京邮电大学学报

  • EI核心期刊

北京邮电大学学报 ›› 2011, Vol. 34 ›› Issue (s1): 114-118.doi: 10.13190/jbupt.2011s1.114.zhongjx

• 研究报告 • 上一篇    下一篇

基于4字节ASN扩展的BGP协议安全漏洞

钟金鑫,魏更宇,李仲重,杨义先   

  1. 北京邮电大学 信息安全中心, 北京 100876
  • 出版日期:2011-10-28 发布日期:2011-10-28
  • 作者简介:钟金鑫(1984-),男,博士生,E-mail:jinxin.zhong@gmail.com 杨义先(1961-),男,教授,博士生导师
  • 基金资助:

    教育部科学技术研究重点项目

A BGP Vulnerability on Supporting 4Octet AS Number Space

    

  1.  
  • Online:2011-10-28 Published:2011-10-28
  • Supported by:
     

摘要:

针对边界网关协议(BGP)路由策略提出一个可以造成流量劫持的BGP协议安全漏洞——多出口描述符(MED)漏洞. 4字节自治域号的引入造成BGP设备部分私有配置失效,在毫不知情的情况下导致数据流量被劫持到邻近的网络服务提供商,带来严重安全威胁.在Cisco环境下的仿真实验结果表明,MED漏洞无感地转移数据流量,可利用该漏洞部署中间人攻击.

关键词: 边界网关协议安全, 多出口描述符漏洞, 4字节自治域号, 流量劫持

Abstract:

A new border gateway protocol (BGP) security problem, multiexitdiscriminator (MED) vulnerability, has been discovered, which could be abused in data hijacking. For the reason that BGP devices may not operate as expected with the extension of 4octet autonomous system (AS) number, data streams could be diverted to other Internet service providers unconsciously and bring serious threat to the global network. In addition the weakness is simulated under the environment of Cisco routers, and a kind of maninthemiddle data hijack based on the MED flaw is implemented and verified through the experiment.

Key words: border gateway protocol security; multiexitdiscriminator vulnerability, 4octet autonomous system number, data flow hijack

中图分类号: