CND (312-38) Network Defense Simulation

Welcome, Network Defender. You will analyze routing protocol behavior and network logs to secure the organization's perimeter communications. Learn to identify expected baseline traffic and apply proper security controls to external routing infrastructure.

Network Scenario

You are analyzing traffic on the external edge router (RTR-EXT-01) of your enterprise network. This router connects your organization's Autonomous System (AS 65001) to two upstream Internet Service Providers (ISPs) to maintain redundant internet connectivity.

During a routine security audit, you are reviewing firewall logs and packet captures to verify that only authorized routing protocol traffic is permitted across the external interfaces, and that no unauthenticated routing updates are being processed.

Traffic & Logs

[08:14:22] SYS-LOG: %RT-5-ADJCHANGE: neighbor 203.0.113.5 Up
[08:15:01] FW-LOG: PERMIT TCP SRC 203.0.113.5:49152 DST 198.51.100.10:179 FLAGS [S]
[08:15:01] FW-LOG: PERMIT TCP SRC 198.51.100.10:179 DST 203.0.113.5:49152 FLAGS [S, A]
[08:15:02] PCAP: Frame 412: UPDATE Message (Withdrawn Routes Length: 0, Total Path Attribute Length: 46)
[08:20:45] FW-LOG: DENY UDP SRC 203.0.113.5:520 DST 198.51.100.10:520 (Unauthorized Routing Attempt)

*Analysis note: Note the establishment of a TCP connection on port 179 for routing updates between the external peer and your edge router.

Question

Which of the following is an exterior gateway protocol that communicates using a Transmission Control Protocol (TCP) and sends the updated router table information?

Defensive Hint: Look at the firewall logs showing traffic destined for TCP port 179. Which major protocol is responsible for routing between different Autonomous Systems across the internet?

Expert Analysis

1. What is happening in the network

The enterprise edge router (198.51.100.10) is establishing a peering relationship with an external ISP router (203.0.113.5). The log clearly shows a TCP three-way handshake completing on port 179, followed by an "UPDATE" message containing routing table parameters. The firewall correctly dropped an unauthorized attempt to use port 520 (RIP).

2. Identify attack or behavior

This is expected, legitimate routing protocol behavior for an internet edge connection. However, from a defense perspective, this traffic must be heavily monitored. If an attacker can spoof or inject traffic into this TCP stream, they could execute a route hijack, redirecting the organization's outbound or inbound traffic through malicious infrastructure.

3. Why the correct answer is correct (Option D)

BGP (Border Gateway Protocol) is the fundamental Exterior Gateway Protocol (EGP) used to exchange routing and reachability information among autonomous systems on the Internet. It specifically uses TCP on port 179 to ensure reliable delivery of large routing tables without having to build a native reliable-delivery mechanism.

4. Why others are wrong

A. IGMP: Internet Group Management Protocol is used by hosts and adjacent routers to establish multicast group memberships, not for exchanging global routing tables.
B. IRDP: ICMP Router Discovery Protocol allows hosts to automatically discover active routers on their local subnet.
C. OSPF: Open Shortest Path First is an Interior Gateway Protocol (IGP) used within an autonomous system, not between them, and it operates directly over IP (protocol 89), not TCP.

5. Defensive action

To secure external routing, defenders should implement BGP authentication using TCP MD5 or SHA algorithms to prevent session spoofing. Access Control Lists (ACLs) should explicitly restrict TCP 179 traffic strictly to known, authorized peer IPs. Additionally, implement Route Origin Authorization (ROA) and RPKI to cryptographically verify that the peer is authorized to advertise specific IP prefixes.

MINI LESSON: Protocol Behavior & Network Defense

Understanding why a protocol behaves a certain way is crucial for defense:

  • TCP vs UDP for Routing: Older, smaller routing protocols (like RIP) use UDP. BGP uses TCP because internet routing tables are massive (often >900,000 routes). TCP provides the necessary windowing, fragmentation, and guaranteed delivery that BGP requires.
  • Detection vs Prevention: Blocking unauthorized routing traffic at the firewall is prevention. Alerting when a new, unexpected AS number appears in your BGP updates is detection. Both are required for Defense-in-Depth.
  • Traffic Pattern Recognition: Seeing TCP 179 traffic originating from inside the user workstation LAN attempting to reach the edge router is a massive anomaly indicating potential internal reconnaissance or a compromised internal device attempting to manipulate routing.

Ready to master Network Defense?

Enhance your traffic analysis and defensive architecture skills with full CND practice environments.

Explore more CND simulations