Due to a ransomware attack, the wiki was reverted to a July 2022 version. . We apologize for the lack of a more recent valid backup.
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
"org.onosproject.artemis" : {
"artemis" : {
"prefixes" : [
{
"prefix" : "40.0.0.0/8",
"paths" : [
{
"origin" : 65004,
"neighbor" : [
{
"asn" : 65002,
"neighbor": [ 65001 ]
}
]
}
],
"moas" : [ ]
}
],
"frequency" : 3000,
"monitors" : {
"ripe" : [ ],
"exabgp": [ "192.168.1.2:5000" ]
}
}
} |
...
AS65001
Intermediate AS that consists of a BGP Speaker (R1), a L2 switch, a host (H1) and an ExaBGP Route Collector.R1: Announces 10.0.0.0/8 and is neighbor with AS65003 and AS65002. Also, has the exaBGP RC as an iBGP neighbor to propagate the BGP Update messages to it.
ExaBGP RC: Connected to R1 but also to the ONOS Controller on the protected AS (in real world this connection is done through the underlaying network).
H1 / 10.0.0.100: Host which is going to be communicating with the host inside the protected AS. It is going to provide us a visualization of the data-plane behavior when the BGP Hijack occurs.
AS65002
IntermediateIntermediate AS that consists of a BGP Speaker that announces 20.0.0.0/8 and its purpose is to add an additional hop to the AS-path so the protected AS is hijackable.AS65003
Hijackers AS that consists of a BGP Speaker (R3).R3:Announcing from this BGP Speaker the prefix of the protected AS (40.0.0.0/8) will cause a BGP hijack and all trafic generated from AS65001 will be redirected to the network of AS65003.
AS65004
Protected AS that is running ONOS. It consists of a BGP Speaker, an OVS switch, a Host and the ONOS instance.R4: Bgp Speaker announcing 40.0.0.0/8. It is connected with his neighbor through the OVS switch which is configured by the sdn-ip application to talk with the BGP speaker of AS65002.
OVS: Talks with ONOS on a management interface in 192.168.0.0/24 subnet.
ONOS: ONOS is connected with the BGP speaker to retrieve the BGP routing table. Also, it receives the BGP Update messages from the ExaBGP router and has a link with the OVS to send the flow rules and receive the packet ins.
- H4 / 40.0.0.100: Host that receives traffic with the help of the reactive-routing application from the host in AS65001.
Running the Demo
...
Install ExaBGP by doing these steps:
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ cd ~
$ git clone https://github.com/Exa-Networks/exabgp
$ cd exabgp; git checkout 3.4
$ echo 'export PATH=$PATH:~/exabgp/sbin' >> ~/.bashrc
$ source ~/.bashrc |
Install Quagga suite through apt-get:
...
Download and install mininet:
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ cd ~ $ git clone https://github.com/mininet/mininet $ cd mininet; git checkout 2.2.2 $ ./util/install.sh -fnv |
Install java 8 (needed by ONOS next):
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ sudo apt-get install software-properties-common -y $ sudo add-apt-repository ppa:webupd8team/java -y $ sudo apt-get update $ echo "oracle-java8-installer shared/accepted-oracle-license-v1-1 $ select true" | sudo debconf-set-selections && \ $ sudo apt-get install oracle-java8-installer oracle-java8-set-default -y |
...
Install pip3, python packages and fix the configuration used by ExaBGP:
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ sudo apt-get install python3-pip -y $ sudo pip3 install -r ~/onos/tools/tutorials/artemis/requirements.txt $ nano ~/onos/tools/tutorials/artemis/configs/exabgp.conf (you must put the absolute path at run command, e.g., /home/onos/onos/tools/tutorials/artemis/server.py) |
Run ONOS (first time will take some time):
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ buck run onos-local -- clean |
When ONOS is loaded run the mininet topology:
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ cd /onos/tools/tutorials/artemis $ sudo ./topo.py |
## NOTENote: You should disable networking in order to avoid interfaces swapping IP addresses!
Pass the network configuration with onos-netcfg and login to the onos CLI
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ onos-netcfg localhost ~/onos/tools/tutorials/artemis/configs/network-cfg.json $ onos localhost |
Run artemis inside CLI:
| Code Block | ||||
|---|---|---|---|---|
| ||||
onos> app activate org.onosproject.reactive-routing onos> app activate org.onosproject.artemis |
Check if bgp-routes are completed (should include 10.0.0.0/8, 20.0.0.0/8, 30.0.0.0/8 and 40.0.0.0/8; if not you should restart the topology. It takes some time (~1-2min)):
| Code Block | ||||
|---|---|---|---|---|
| ||||
ONOS> bgp-routes |
Now that the topology is running; through the mininet CLI you can connect to the hosts to check connectivity and also to the BGP speakers. To hijack the prefix of our protected AS:
...
1. Connect to BGP speaker named R3:
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
mininet> xterm R3 (opens a new window on R3 node)
R3> telnet localhost bgpd |
2. And announce Announce the prefix:
| Code Block | ||||
|---|---|---|---|---|
| ||||
$R3> sudo apt-get install quagga -y |
...
sdnip (this is the password) |
...
R3> enable |
...
R3# configuration terminal |
...
R3(conf)# router bgp 65003 |
...
R3(conf-bgp)# network 40.0.0.0/8 |
Now the hijacker with attract all the traffic from AS65001 but in parallel the ExaBGP speaker will send the BGP update of the hijack to the ONOS instance which is going to detect the hijack. Inside the logs you will see that the attack is detected and the deaggregation mechanism has successfully defended the attack. After the BGP converges the traffic of AS65001 returns to our protected AS.
Demo video
| Widget Connector | ||
|---|---|---|
|
...