BGP Path Hijacking Attack Demo
This demo is entirely taken from the Mininet Wiki and modified to run in Route 0. All credit for this demo go to the authors of the Mininet Wiki entry and its code.
You can read more about what BGP hijacking is and how the demo works on the
Mininet
Wiki
entry. This README.md
only adapts the step-by-step instructions from the
Wiki to work with the Route 0 framework.
Demo Instructions
Step 1
- Go into your
route0
repository. - Start the
bgp_hijack
scenario with
sudo python route0.py --topology line_03_and_rogue --scenario bgp_hijack
Keep this shell running throughout this demonstration.
Step 2
- In another terminal, let's start a session with AS1's routing daemon:
sudo python attach.py --node R1 --daemon bgpd
The password is route0
.
Step 3
Let's see AS1's routing entries by typing the command sh ip bgp
.
Notice that on AS1, the chosen AS path to reach 13.0.0.0/8 is "2 3" (i.e., via AS2 and AS3).
Step 4
Keep the above shell running in a separate window. Now, let's visit a default
web server that Mininet started in AS3 and verify that we can reach it from
host h1_1 connected to AS1. We're going to run the command "curl -s 13.0.1.1"
from AS1 in a loop. We have created a script website.sh
that does this for
you automatically:
topology/line_03_and_rogue/scenario/bgp_hijack/website.sh
Step 5
Now, in another window, let us start the rogue AS using the command
topology/line_03_and_rogue/scenario/bgp_hijack/start_rogue.sh
The rogue AS will connect to AS1 and advertise a route to 13.0.0.0/8 using a shorter path (i.e., a direct path from AS1 to AS4). Thus, AS1 will choose this shorter path by default.
After some time (for BGP convergence), you should see the output of
website.sh
script change to the attacker's message.
You can also inspect the routing table using the shell you started in step 2. If the shell closed (due to inactivity), you can start it again (see step 2). You can see AS4's chosen path and also AS3's path in the routing information base of AS1. Since the AS path length to reach 13.0.0.0/8 is smaller through AS4, R1 chooses AS4 as its next hop.
Step 6
You can stop the attack by killing R4's routing daemon
topology/line_03_and_rogue/scenario/bgp_hijack/stop_rogue.sh
You will notice that convergence is quick: the traffic is almost immediately redirected to the legitimate web server.
Step 7
You can stop the experiment by typing exit
at the Mininet prompt, Control-C
in the window where you started the website, and type exit
in the terminal
where you connected to R1's terminal.
That's it!