Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
101: Why BGP Hijacking Just Won't Die
A look at the dangers of attacks on the Internet's Border Gateway Protocol and what ISPs and enterprises can do about them.
When the Internet goes down, rendering everything inaccessible from mission-critical business services to mental stability-critical meme generators, is it because of an accident or malicious hackers? In the case of Border Gateway Protocol (BGP) hijacking, it could be either — and sometimes both.
Consider the BGP hijacking incident on April Fool’s Day last year, which caused massive Internet service disruptions just as the world was beginning to grapple with the consequences of the COVID-19 pandemic. Internet traffic that was supposed to flow through more than 200 of the largest cloud-based Web providers and content delivery networks was redirected through Russia’s state-owned telecommunications provider, Rostelecom. More than 8,800 Internet traffic routes were affected for nearly two hours, slowing — and in many cases halting — traffic to, from, and through Amazon, Google, Facebook, Akamai, Digital Ocean, Cloudflare, Heztner, and others.
"They kept doing it for two hours," says Aftab Siddiqui, senior manager of Internet technology at the Internet Society. "We don't know what they achieved, but we do know that for those two hours you couldn't access those services."
While that incident was noticeable for its scale and impact, it's far from the only time BGP hijacking affected Internet service in 2020. It's so common that Siddiqui's Internet Society colleagues estimate that 2,477 BGP hijacking incidents occurred last year, nearly seven per day. Most, he says, are short-lived, but some go on for hours. When done intentionally, it can be used for large-scale surveillance, denial-of-service attacks, and espionage.
"And even if 10% were intentional, that’s a lot," he warns.
The challenge in stopping BGP hijacking is that it exploits a design flaw in how the Internet is constructed, and to stop it will take the vast majority of the world's Internet service providers (ISPs) to change how they operate. But to get there will require ISPs to modernize their routing technology. Some may do it on their own volition to make the Internet more secure and stable for all.
Others might require pressure from their customers — especially those whose businesses require uninterrupted Internet access. Businesses can contact their ISPs to find out if they've modernized their technology, but it might take both carrot and stick to get those that haven't to make the leap.
What Is BGP Hijacking?
BGP hijacking is when the Border Gateway Protocol — which builds the routing tables that form the critical data backbone of the Internet — fails because the path the data should have taken was changed with intentionally inaccurate information. The end result can be websites and apps not loading properly or at all.
BGP was originally invented in the 1980s and fully implemented by 1994 to transfer data automatically between ISPs. At its simplest, BGP hijacking is when the routers guiding that data are misconfigured. The hijacking refers not only to an entity taking over control of the data routing, but also to interference forcing the data to be routed incorrectly.
The actual napkin on which the Border Gateway Protocol was conceived.
The unique entities in the routing tables that define correct BGP routing are known as autonomous systems (AS), which announce the routes that other ASes should rely on to reach ISPs in different geographic regions. Generally, BGP defaults to the shortest routes possible, but humans and computers can interfere with ASes — intentionally, for business reasons, accidentally, or with malicious intent.
If the data route has been interfered with maliciously, it's trivial for a hacker to spy on the data if it hasn't been encrypted. If the routing is ultimately allowed to complete its journey, the recipient of the data might not even notice.
What's most disturbing about BGP hijacking is that while it can be done accidentally, it can also be used as a digital weapon by nation-states or groups affiliated with them. Although BGP hijacking was a notorious problem in the 2000s, high-profile, malicious BGP hijackings still happen to this day. These include an incident spanning 2017 and 2018 that netted hackers $29 million, the rerouting of MyEtherWallet traffic to snag $160,000 in 2018, and Google, Facebook, Twitch, and Apple traffic spending an hour being rerouted through an obscure Russian network. Most recently, a group of federal government agencies recommended that the FCC revoke China Telecom’s ability to provide international service to and from the U.S. because of misrouting US Internet traffic.
The good news is that Siddiqui’s colleagues at the Internet Society and others have created a way to permanently fix BGP routing and make it more secure. Known as MANRS, the Mutually Agreed Norms for Routing Security have invented new guardrails to keep Internet traffic flowing to its intended destinations. One of the most important solutions that MANRS is promoting is Resource Public Key Infrastructure, a public database of cryptographically authenticated BGP routes. Siddiqui, who is the project lead at MANRS, counts approximately one-quarter to one-third of the ISPs worldwide as RPKI adoptees.
How ISPs Can Thwart BGP Hijacking
The bad news is that each ISP must implement RPKI on its own, a task that comes with a labor and maintenance cost. Although the BGP hijacking incidents in 2020 encouraged Cloudflare to launch a "Is BGP safe yet?" service that lets Internet users know whether their ISP has upgraded its BGP security, and Google plans to redouble its efforts as a MANRS partner to fix BGP faster, experts say we are years away from universal RPKI adoption.
While widespread RPKI implementation is the gold standard that Internet architecture and security experts are gunning for, they say there are important improvements that can be made today for relatively low effort. Part of the problem in encouraging its adoption, says Melchior Aelmans, an Internet routing expert and consulting engineer at Juniper Networks, is that RPKI contradicts current Internet routing business models.
"Routing security isn't something that makes vendors rich, so it's not the first thing that vendors will implement, but once customers start asking for it, it becomes relevant. It's something we as a community need to fix," Aelmans says, and businesses need to demand their ISPs implement BGP Best Common Practices.
“Currently, the primary goal for service providers is to have as many routes as possible, which gives you better connectivity," he says. "The more routes you have, the easier it is for your customers to reach destinations on the Internet. The problem with RPKI origin validation is that you filter routes out of the routing table, which goes against having as many routes as possible.”
While there are some initial financial costs to upgrading to RPKI, including the possibility of upgrading to routing hardware that supports it and potential new hires to help implement and manage the upgrade, the major investment is cultural, says Flavio Luciani, chief technology officer at Italian Internet exchange point NameX. While approximately 60% of the Tier 1 service providers around the world have implemented RPKI, only about one-third of all ISPs and cloud providers have.
There are ways to secure BGP routes from hijacking that take less cajoling but are less effective. One of these initiatives is an effort, also spearheaded by MANRS, to make route filtering more consistent through the publicly used Internet Routing Registries already in use. Getting ISPs and cloud providers to focus on prioritizing well-known, validated routes will help reduce the impact of the kinds of large-scale shutdowns we saw last spring, says Aelmans.
"Internet Routing Registry filtering is the precursor to Routing Public Key Infrastructure. It's less verifiable but still pretty reliable. If you can't deploy RPKI, at least use Internet Routing Registry filtering," he says.
In lieu of RPKI, and in addition to Internet Routing Registry filtering, Aelmans recommends that service providers make at least three additional changes to help better secure themselves against BGP hijacking, including signing their prefixes and employing both egress and ingress filtering.
Without addressing these vulnerabilities either through RPKI or stopgap measures, BGP hijacking will be able to continue unabated. Nation-state hackers have learned how to exploit this fragile technology that the Internet depends on for espionage, interference, and destruction. Unless ISPs take important measures to secure their BGP routing, BGP hijacking will remain a potent tool for government-aligned hackers, says Aelmans.
“BGP was only meant to connect a couple of networks, so there was no reason for any security mechanism," he says. "When you look at the way the Internet has scaled, there’s now no way to know everything that everyone is announcing on the Internet. But we rely on BGP, so we have to use these bandages.” .
About the Author
You May Also Like