Protect Your Enterprise From BGP Route Hijacking

BGP does a great job of identifying optimal paths across the internet, but its lack of security controls allows the protocol to be exploited.

Whenever someone asks me, “What is border gateway routing protocol (BGP)?” I always use the following analogy to explain it: BGP is like the postal service. When you address a letter and drop mail in your mailbox, it gets mailed to the destination by using people, trucks, airplanes or sorted in postal facilities. BGP works the same way but it travels across the internet, is much faster and instead of airplanes or postal facilities, routers, circuits and central offices are used to reach its destination.

BGP is the primary protocol used on the internet to exchange routing information between various locations. It is the language that is spoken by routers on the internet to make decisions on the most optimal paths to reach a destination. For example, it will make the decision on if data originating in Tennessee will take a path using routers located in Alabama or Georgia to reach its destination in Florida.

Over the years BGP has been stable and is considered the de facto protocol for internet communication.

Trust Issue

BGP was created well before security became a major concern for enterprises. As such, it does not directly include security mechanisms and instead trusts that network peers will appropriately secure their systems and send the correct route information. Thus, anybody can advertise or announce a route to a network without any verification.

The concern is that mistakes can happen and problems can occur if malicious actors were to try and manipulate the routing tables used by BGP.

In many cases, when false advertisements occur, they last less than 10 minutes, but it can be challenging for security professionals to determine if it was a mistake or malicious.

What Is BGP Hijacking?

BGP hijacking, sometimes called prefix hijacking or IP hijacking, occurs when an attacker redirects web traffic away from its intended destination and instead sends connections somewhere else.

This can be compared to a company mailing private information to the wrong address because an imposter supplied the company with the wrong address for delivery. Once the letter is mailed to the wrong address, the imposter has it forever.

During BGP hijacking, the routers will advertise themselves as providing the correct path for the targeted network and will then redirect the traffic to this network that is controlled by the attacker. Many of these incidents are caused by malicious actors; however, there are still many that are the result of misconfigurations.

In the past cryptocurrencies have been targeted by BGP hijackers, who took over computers and hijacked their advertised routes to use the attacker’s computers to receive legitimate miners’ crypto payments. In 2018, there were reports of private keys used for cryptocurrencies being stolen due to a BGP hijacking attack.

In 2019, traffic going through a public DNS server run by the Taiwan Network Information Center (TWNIC) came under attack and traffic was rerouted for several minutes. This was significant because TWNIC is an internet backbone and the hijacking posed a lot of risk. There were no reports of successful malicious activity but it is important to note because serious damage could have occurred and similar incidents could happen at other locations across the world.

The number of BGP hijacking attempts occur consistently across the globe. This site provides a lot of information about the number and magnitude of the various BGP hijackings.

How Best To Prevent Hijacking?

While there are changes that security engineers can make to help mitigate BGP hijacking, such as validating advertisements that are received, BGP advertisement monitoring or implementing a resource public key infrastructure (PKI), these solutions are not enough to fully protect against this attack on a global basis. The best solution requires a community approach from the various internet service providers (ISP).

In 2014, the Internet Society launched the Mutually Agreed Norms for Routing Security (MANRS) initiative with the purpose of eliminating common routing threats including BGP hijacking by promoting the security of the global routing system within the service provider community.

MANRS promotes four main actions those involved in internet routing can take to reduce the threat of route hijacking or other types of BGP attacks:

  • Global validation – The service provider will have documented routing policies that are available publicly and communicates to their peers which specific announcements are valid.
  • Filtering – There must be a documented routing policy that will ensure only the correct routes are announced. Verification will be that customers are the owners of autonomous system numbers and the corresponding address space.
  • Anti-Spoofing – Anti-spoofing filtering must be used to only allow the correct source IPs from entering their network.
  • Coordination – Service providers’ contact information must be publicly accessible and up to date.

BGP hijacking across the globe would be significantly reduced if all ISPs followed the policies of MANRS. For it to have a real impact, it needs the collaboration and coordinated actions of all ISPs. Without their participation, MANRS cannot be successful.

If providers have enough clients requesting them to join MANRS, then more will do so—or at least take measures to ensure they are following the requirements identified within it. Until then, weaknesses in BGP security will continue to be exploited to the detriment of everyone who uses the internet.

According to the Internet Society, as of January 2020, 275 network operators and 45 internet exchange points (IXPs) had signed on to be MANRS-compliant. This is encouraging, but more should consider participating or at least adhere to the standards.

As more infrastructure moves out of the data center and into the cloud, security becomes even more critical. The more ISPs work together with organizations such as MANRS and the more enterprises insist their providers do so or at least follow similar requirements, then the fewer incidents there will be and the less impact BGP hijacking will have.

Mark Dargin

Avatar photo

Mark Dargin

Mark Dargin is an experienced security and network architect/leader. He has over 20 years of experience designing, managing, and securing complex WAN and LAN infrastructures for large and medium-sized organizations. Mark’s experience includes leading and managing large scale compliance and risk management initiatives and programs. He is a member of the Michigan Cybersecurity Civilian Corps., a rapid response team of experienced IT security volunteers who will assist the state and industries during major cybersecurity incidents. Mark holds a bachelor’s degree in Business Management and Communications from the University of Michigan-Dearborn , master’s degree in Business Information Technology from Walsh College in Troy, Michigan and an Advanced Computer Security Certificate from Stanford University. Mark holds various active certifications, including the CISSP (Certified Information Systems Security Professional), PMP (Project Management Professional), GIAC GMON (Continuous Monitoring & Security Operations), GIAC GNFA (Network Forensics Analyst) and many other vendor related certifications.

mark-dargin has 3 posts and counting.See all posts by mark-dargin