BGP hijacking explained

BGP hijacking (sometimes referred to as prefix hijacking, route hijacking or IP hijacking) is the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables maintained using the Border Gateway Protocol (BGP).[1] [2] [3] [4] [5]

Background

The Internet is a global network that enables any connected host, identified by its unique IP address, to talk to any other, anywhere in the world. This is achieved by passing data from one router to another, repeatedly moving each packet closer to its destination, until it is delivered. To do this, each router must be regularly supplied with up-to-date routing tables. At the global level, individual IP addresses are grouped together into prefixes. These prefixes will be originated, or owned, by an autonomous system (AS), and the routing tables between ASes are maintained using the Border Gateway Protocol (BGP).

A group of networks that operates under a single external routing policy is known as an autonomous system. For example, Sprint, Verizon, and AT&T each are an AS. Each AS has its own unique AS identifier number. BGP is the standard routing protocol used to exchange information about IP routing between autonomous systems.

Each AS uses BGP to advertise prefixes that it can deliver traffic to. For example, if the network prefix is inside AS 64496, then that AS will advertise to its provider(s) and/or peer(s) that it can deliver any traffic destined for .

Although security extensions are available for BGP, and third-party route DB resources exist for validating routes, by default the BGP protocol is designed to trust all route announcements sent by peers. Few ISPs rigorously enforce checks on BGP sessions.

Mechanism

IP hijacking can occur deliberately or by accident in one of several ways:

Common to these ways is their disruption of the normal network routing: packets end up being forwarded towards the wrong part of the network and then either enter an endless loop (and are discarded), or are found at the mercy of the offending AS.

Typically ISPs filter BGP traffic, allowing BGP advertisements from their downstream networks to contain only valid IP space. However, a history of hijacking incidents shows this is not always the case.

The Resource Public Key Infrastructure (RPKI) is designed to authenticate route origins via cryptographic certificate chains demonstrating address block range ownership but is not widely deployed yet. Once deployed, IP hijacking through errant issues at the origin (via accident or intent) should be detectable and filterable.

IP hijacking is sometimes used by malicious users to obtain IP addresses for use in spamming or a distributed denial-of-service (DDoS) attack.

When a router promulgates flawed BGP routing information, whether that action is intentional or accidental, it is defined by the Internet Engineering Task Force (IETF) in RFC 7908 as a "route leak". Such leaks are described as "the propagation of routing announcement(s) beyond their intended scope. That is, an announcement from an Autonomous System (AS) of a learned BGP route to another AS violates the intended policies of the receiver, the sender, and/or one of the ASes along the preceding AS path." Such leaks are possible because of a long-standing "…systemic vulnerability of the Border Gateway Protocol routing system…"[6]

BGP hijacking and transit-AS problems

Like the TCP reset attack, session hijacking involves intrusion into an ongoing BGP session, i.e., the attacker successfully masquerades as one of the peers in a BGP session, and requires the same information needed to accomplish the reset attack. The difference is that a session hijacking attack may be designed to achieve more than simply bringing down a session between BGP peers. For example, the objective may be to change routes used by the peer, in order to facilitate eavesdropping, black holing, or traffic analysis.

By default EBGP peers will attempt to add all routes received by another peer into the device's routing table and will then attempt to advertise nearly all of these routes to other EBGP peers. This can be a problem as multi-homed organizations can inadvertently advertise prefixes learned from one AS to another, causing the end customer to become the new, best-path to the prefixes in question. For example, a customer with a Cisco router peering with say AT&T and Verizon and using no filtering will automatically attempt to link the two major carriers, which could cause the providers to prefer sending some or all traffic through the customer (on perhaps a T1), instead of using high-speed dedicated links. This problem can further affect others that peer with these two providers and also cause those ASs to prefer the misconfigured link. In reality, this problem hardly ever occurs with large ISPs, as these ISPs tend to restrict what an end customer can advertise. However, any ISP not filtering customer advertisements can allow errant information to be advertised into the global routing table where it can affect even the large Tier-1 providers.

The concept of BGP hijacking revolves around locating an ISP that is not filtering advertisements (intentionally or otherwise) or locating an ISP whose internal or ISP-to-ISP BGP session is susceptible to a man-in-the-middle attack. Once located, an attacker can potentially advertise any prefix they want, causing some or all traffic to be diverted from the real source towards the attacker. This can be done either to overload the ISP the attacker has infiltrated, or to perform a DoS or impersonation attack on the entity whose prefix is being advertised. It is not uncommon for an attacker to cause serious outages, up to and including a complete loss of connectivity. In early 2008, at least eight US Universities had their traffic diverted to Indonesia for about 90 minutes one morning in an attack kept mostly quiet by those involved. Also, in February 2008, a large portion of YouTube's address space was redirected to Pakistan when the PTA decided to block access[7] to the site from inside the country, but accidentally blackholed the route in the global BGP table.

While filtering and MD5/TTL protection is already available for most BGP implementations (thus preventing the source of most attacks), the problem stems from the concept that ISPs rarely ever filter advertisements from other ISPs, as there is no common or efficient way to determine the list of permissible prefixes each AS can originate. The penalty for allowing errant information to be advertised can range from simple filtering by other/larger ISPs to a complete shutdown of the BGP session by the neighboring ISP (causing the two ISPs to cease peering), and repeated problems often end in permanent termination of all peering agreements. It is also noteworthy that even causing a major provider to block or shutdown a smaller, problematic provider, the global BGP table will often reconfigure and reroute the traffic through other available routes until all peers take action, or until the errant ISP fixes the problem at the source.

One useful offshoot of this concept is called BGP anycasting and is frequently used by root DNS servers to allow multiple servers to use the same IP address, providing redundancy and a layer of protection against DoS attacks without publishing hundreds of server IP addresses. The difference in this situation is that each point advertising a prefix actually has access to the real data (DNS in this case) and responds correctly to end user requests.

Public incidents

See also

External links

A real-time BGP connectivity and security monitoring system.

List of ISPs that implement Resource Public Key Infrastructure (RPKI).

Notes and References

  1. Web site: Practical Defenses Against BGP Prefix Hijacking. Zhang. Zheng. Zhang. Ying. University of Michigan. 2018-04-24. Hu. Y. Charlie. Mao. Z. Morley. Z. Morley Mao.
  2. Web site: Breaking HTTPS with BGP Hijacking. Gavrichenkov. Artyom. Black Hat. 2018-04-24.
  3. Web site: Using BGP to Acquire Bogus TLS Certificates. Birge-Lee. Henry. Sun. Yixin. Princeton University. 2018-04-24. Edmundson. Annie. Rexford. Jennifer. Mittal. Prateek.
  4. News: An Overview of BGP Hijacking - Bishop Fox. Julian. Zach. 2015-08-17. Bishop Fox. 2018-04-25. en-US.
  5. Revealed: The Internet's Biggest Security Hole. Zetter. Kim. 2008-08-26. WIRED. 2018-04-25. en-US.
  6. Web site: Problem Definition and Classification of BGP Route Leaks . June 2016 . 27 May 2021 .
  7. Web site: Technology | Pakistan lifts the ban on YouTube . . 2008-02-26 . 2016-11-07.
  8. Web site: 7007: From the Horse's Mouth . 2008-02-26 . dead . https://web.archive.org/web/20090227181607/http://www.merit.edu/mail.archives/nanog/1997-04/msg00380.html . 2009-02-27 .
  9. Web site: Renesys Blog: Internet-Wide Catastrophe—Last Year . 2008-02-26 . dead . https://web.archive.org/web/20080228131639/http://www.renesys.com/blog/2005/12/internetwide_nearcatastrophela.shtml . 2008-02-28 .
  10. Web site: Analysis of BGP Prefix Origins During Google's May 2005 Outage. Tao Wan . Paul C. van Oorschot. Ccsl.carleton.ca. 2016-11-07.
  11. Web site: Con-Ed Steals the 'Net - Dyn Research | The New Home Of Renesys . Renesys.com . 2006-01-23 . 2016-11-07 . 2013-03-08 . https://web.archive.org/web/20130308072127/http://www.renesys.com/blog/2006/01/coned-steals-the-net.shtml . dead .
  12. Web site: YouTube Hijacking: A RIPE NCC RIS case study - News & Announcements from the RIPE NCC . 2008-03-31 . dead . https://web.archive.org/web/20080405030750/http://www.ripe.net/news/study-youtube-hijacking.html . 2008-04-05 .
  13. Web site: Brazil Leak: If a tree falls in the rainforest - Dyn Research | The New Home Of Renesys . Renesys.com . 2016-11-07 . 2013-04-23 . https://web.archive.org/web/20130423121509/http://www.renesys.com/blog/2008/11/brazil-leak-if-a-tree-falls-in.shtml . dead .
  14. Web site: Chinese ISP hijacks the Internet. Toonk. Andree. 2010-04-08. BGPmon.net. https://web.archive.org/web/20190415002259/https://bgpmon.net/chinese-isp-hijacked-10-of-the-internet/. 2019-04-15. 2019-04-15.
  15. Web site: How Hacking Team Helped Italian Special Operations Group with BGP Routing Hijack. bgpmon.net. en. 2017-10-17.
  16. Web site: Hacker Redirects Traffic From 19 Internet Providers to Steal Bitcoins . Wired.com . 2014-08-07 . 2016-11-07.
  17. Web site: Iran's porn censorship broke browsers as far away as Hong Kong. Brandom. Russell. 2017-01-07. The Verge. 2017-01-09.
  18. Web site: BGP Hijacking overview - Recent BGP Hijacking Incidens. noction.com. 24 April 2018 . en. 2018-08-11.
  19. Web site: BGPstream and The Curious Case of AS12389 BGPmon. bgpmon.net. en. 2017-10-17.
  20. Web site: Popular Destinations rerouted to Russia. BGPMON. 14 December 2017.
  21. Web site: Born to Hijack. Qrator.Radar. 13 December 2017.
  22. Web site: Suspicious event hijacks Amazon traffic for 2 hours, steals cryptocurrency. 24 April 2018 . 24 April 2018.
  23. Web site: Telegram traffic from around the world took a detour through Iran. 30 July 2018 . 31 July 2018.
  24. Web site: Internet Vulnerability Takes Down Google. 13 November 2018.
  25. Web site: Public DNS in Taiwan the latest victim to BGP hijack. 15 May 2019 . 31 May 2019.
  26. Web site: Large European routing leak sends traffic through China Telecom. 12 June 2019.
  27. Web site: For two hours, a large chunk of European mobile traffic was rerouted through China. . 12 June 2019.
  28. Web site: BGP Route Leak Incident Review: A Closer Look at a Route Leak . 14 September 2021.
  29. Web site: Major Route Leak by AS28548 – Another BGP Optimizer? . Aftab . Siddiqui . 13 Feb 2021 . 14 September 2021 .
  30. Web site: A major BGP route leak by AS55410 . 28 May 2021 . Aftab . Siddiqui . 26 April 2021.
  31. Web site: KlaySwap crypto users lose funds after BGP hijack . 14 February 2022 . 17 Feb 2022.
  32. Web site: BGP Hijacking of Twitter Prefix by RTComm.ru . SANS.
  33. Web site: Goodin . Some Twitter traffic briefly funneled through Russian ISP, thanks to BGP mishap . Ars Technica. 29 March 2022 .