BGP hijacking

Last updated

BGP hijacking (sometimes referred to as prefix hijacking, route hijacking or IP hijacking) is the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables maintained using the Border Gateway Protocol (BGP). [1] [2] [3] [4] [5]

Contents

Background

The Internet is a global network that enables any connected host, identified by its unique IP address, to talk to any other, anywhere in the world. This is achieved by passing data from one router to another, repeatedly moving each packet closer to its destination, until it is delivered. To do this, each router must be regularly supplied with up-to-date routing tables. At the global level, individual IP addresses are grouped together into prefixes. These prefixes will be originated, or owned, by an autonomous system (AS), and the routing tables between ASes are maintained using the Border Gateway Protocol (BGP).

A group of networks that operates under a single external routing policy is known as an autonomous system. For example, Sprint, Verizon, and AT&T each are an AS. Each AS has its own unique AS identifier number. BGP is the standard routing protocol used to exchange information about IP routing between autonomous systems.

Each AS uses BGP to advertise prefixes that it can deliver traffic to. For example, if the network prefix 192.0.2.0/24 is inside AS 64496, then that AS will advertise to its provider(s) and/or peer(s) that it can deliver any traffic destined for 192.0.2.0/24.

Although security extensions are available for BGP, and third-party route DB resources exist for validating routes, by default the BGP protocol is designed to trust all route announcements sent by peers. Many ISPs do not rigorously enforce checks on BGP sessions.

Mechanism

IP hijacking can occur deliberately or by accident in one of several ways:

Common to these ways is their disruption of the normal network routing: packets end up being forwarded towards the wrong part of the network and then either enter an endless loop (and are discarded), or are found at the mercy of the offending AS.

Typically ISPs filter BGP traffic, allowing BGP advertisements from their downstream networks to contain only valid IP space. However, a history of hijacking incidents shows this is not always the case.

The Resource Public Key Infrastructure (RPKI) is designed to authenticate route origins via cryptographic certificate chains demonstrating address block range ownership but is not widely deployed yet. Once deployed, IP hijacking through errant issues at the origin (via accident or intent) should be detectable and filterable.

IP hijacking is sometimes used by malicious users to obtain IP addresses for use in spamming or a distributed denial-of-service (DDoS) attack.

When a router disseminates erroneous BGP routing information, whether intentionally or accidentally, it is defined by the Internet Engineering Task Force (IETF) in RFC 7908 as a "route leak." These leaks are characterized as "the dissemination of routing announcements beyond their intended scope. In other words, an announcement from one Autonomous System (AS) regarding a learned BGP route to another AS contravenes the intended policies of the recipient, the sender, and/or one of the ASes along the preceding AS path." Such leaks are made possible due to a long-standing "systemic vulnerability of the Border Gateway Protocol routing system." [6]

BGP hijacking and transit-AS problems

Like the TCP reset attack, session hijacking involves intrusion into an ongoing BGP session, i.e., the attacker successfully masquerades as one of the peers in a BGP session, and requires the same information needed to accomplish the reset attack. The difference is that a session hijacking attack may be designed to achieve more than simply bringing down a session between BGP peers. For example, the objective may be to change routes used by the peer, in order to facilitate eavesdropping, black holing, or traffic analysis.

By default, EBGP peers will attempt to add all routes received from another peer into the device's routing table and then proceed to advertise nearly all of these routes to other EBGP peers. This can pose a problem as multi-homed organizations may inadvertently advertise prefixes learned from one Autonomous System (AS) to another, leading the end customer to become the new best path to the relevant prefixes.

For instance, a customer with a Cisco router peering with both AT&T and Verizon, and employing no filtering, may inadvertently establish a link between the two major carriers. This could result in the providers preferring to route some or all traffic through the customer (potentially on a T1 line) instead of utilizing high-speed dedicated links. This issue can also impact other entities peering with these two providers and lead those ASs to favor the misconfigured link.

In practice, this problem rarely occurs with large Internet Service Providers (ISPs) as they typically impose restrictions on what an end customer can advertise. However, any ISP that does not filter customer advertisements may inadvertently allow incorrect information to be propagated into the global routing table, potentially affecting even the large Tier-1 providers.

The concept of BGP hijacking involves identifying an Internet Service Provider (ISP) that does not filter advertisements, whether intentionally or unintentionally, or identifying an ISP with vulnerable internal or ISP-to-ISP BGP sessions susceptible to a man-in-the-middle attack. Once identified, an attacker can potentially advertise any prefix they choose, leading to the diversion of some or all traffic from its legitimate source to the attacker. This action can be carried out to overwhelm the infiltrated ISP or to execute a Denial of Service (DoS) or impersonation attack on the entity whose prefix is being advertised. It is not uncommon for attackers to cause significant disruptions, including complete loss of connectivity.

In an incident from early 2008, at least eight US universities experienced their traffic being rerouted to Indonesia for approximately 90 minutes one morning in an attack that was largely kept under wraps by those involved.[ citation needed ] Also, in February 2008, a large portion of YouTube's address space was redirected to Pakistan when the PTA decided to block access [7] to the site from inside the country, but accidentally black-holed the route in the global BGP table. While filtering and MD5/TTL protection is already available for most BGP implementations (thus preventing the source of most attacks), the problem stems from the concept that ISPs rarely ever filter advertisements from other ISPs, as there is no common or efficient way to determine the list of permissible prefixes each AS can originate. The penalty for allowing errant information to be advertised can range from simple filtering by other/larger ISPs to a complete shutdown of the BGP session by the neighboring ISP (causing the two ISPs to cease peering), and repeated problems often end in permanent termination of all peering agreements. It is also noteworthy that even causing a major provider to block or shutdown a smaller, problematic provider, the global BGP table will often reconfigure and reroute the traffic through other available routes until all peers take action, or until the errant ISP fixes the problem at the source.

One useful offshoot of this concept is called BGP anycasting and is frequently used by root DNS servers to allow multiple servers to use the same IP address, providing redundancy and a layer of protection against DoS attacks without publishing hundreds of server IP addresses. The difference in this situation is that each point advertising a prefix actually has access to the real data (DNS in this case) and responds correctly to end user requests.

Public incidents


See also

Related Research Articles

<span class="mw-page-title-main">Router (computing)</span> Device that forwards data packets between computer networks

A router is a computer and networking device that forwards data packets between computer networks, including internetworks such as the global Internet.

<span class="mw-page-title-main">Border Gateway Protocol</span> Protocol for communicating routing information on the Internet

Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet. BGP is classified as a path-vector routing protocol, and it makes routing decisions based on paths, network policies, or rule-sets configured by a network administrator.

Open Shortest Path First (OSPF) is a routing protocol for Internet Protocol (IP) networks. It uses a link state routing (LSR) algorithm and falls into the group of interior gateway protocols (IGPs), operating within a single autonomous system (AS).

<span class="mw-page-title-main">Internet backbone</span> Vital infrastructure of the networks of the Internet

The Internet backbone is the principal data routes between large, strategically interconnected computer networks and core routers of the Internet. These data routes are hosted by commercial, government, academic and other high-capacity network centers as well as the Internet exchange points and network access points, which exchange Internet traffic internationally. Internet service providers (ISPs) participate in Internet backbone traffic through privately negotiated interconnection agreements, primarily governed by the principle of settlement-free peering.

<span class="mw-page-title-main">Network address translation</span> Technique for making connections between IP address spaces

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was initially used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

<span class="mw-page-title-main">Tier 1 network</span> Top level network on the internet

A Tier 1 network is an Internet Protocol (IP) network that can reach every other network on the Internet solely via settlement-free interconnection. Tier 1 networks can exchange traffic with other Tier 1 networks without paying any fees for the exchange of traffic in either direction. In contrast, some Tier 2 networks and all Tier 3 networks must pay to transmit traffic on other networks.

An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain, that presents a common and clearly defined routing policy to the Internet. Each AS is assigned an autonomous system number (ASN), for use in Border Gateway Protocol (BGP) routing. Autonomous System Numbers are assigned to Local Internet Registries (LIRs) and end-user organizations by their respective Regional Internet Registries (RIRs), which in turn receive blocks of ASNs for reassignment from the Internet Assigned Numbers Authority (IANA). The IANA also maintains a registry of ASNs which are reserved for private use.

<span class="mw-page-title-main">Anycast</span> Network addressing and routing methodology

Anycast is a network addressing and routing methodology in which a single IP address is shared by devices in multiple locations. Routers direct packets addressed to this destination to the location nearest the sender, using their normal decision-making algorithms, typically the lowest number of BGP network hops. Anycast routing is widely used by content delivery networks such as web and name servers, to bring their content closer to end users.

Deep packet inspection (DPI) is a type of data processing that inspects in detail the data being sent over a computer network, and may take actions such as alerting, blocking, re-routing, or logging it accordingly. Deep packet inspection is often used for baselining application behavior, analyzing network usage, troubleshooting network performance, ensuring that data is in the correct format, checking for malicious code, eavesdropping, and internet censorship, among other purposes. There are multiple headers for IP packets; network equipment only needs to use the first of these for normal operation, but use of the second header is normally considered to be shallow packet inspection despite this definition.

Multihoming is the practice of connecting a host or a computer network to more than one network. This can be done in order to increase reliability or performance.

A route distinguisher is an address qualifier used only within a single internet service provider's Multiprotocol Label Switching (MPLS) network. It is used to distinguish the distinct virtual private network (VPN) routes of separate customers who connect to the provider.

<span class="mw-page-title-main">Supernetwork</span> Aggregation of Internet Protocol networks

A supernetwork, or supernet, is an Internet Protocol (IP) network that is formed by aggregation of multiple networks into a larger network. The new routing prefix for the aggregate network represents the constituent networks in a single routing table entry. The process of forming a supernet is called supernetting, prefix aggregation, route aggregation, or route summarization.

<span class="mw-page-title-main">Toronto Internet Exchange</span> Not-for-profit Internet Exchange Point

The Toronto Internet Exchange Community (TorIX) is a not-for-profit Internet Exchange Point (IXP) located in a carrier hotel at 151 Front Street West, Equinix's TR2 data centre at 45 Parliament Street and 905 King Street West in Toronto, Ontario, Canada. As of March 2021, TorIX has 259 unique autonomous systems representing 285 peer connections and peak traffic rates of 1.344 Tbps, making it the largest IXP in Canada. According to Wikipedia's List of Internet Exchange Points by Size, TorIX is the 16th largest IXP in the world in numbers of peers, and 17th in the world in traffic averages. The Exchange is organized and run by industry professionals in voluntary capacity.

In computer networking, ingress filtering is a technique used to ensure that incoming packets are actually from the networks from which they claim to originate. This can be used as a countermeasure against various spoofing attacks where the attacker's packets contain fake IP addresses. Spoofing is often used in denial-of-service attacks, and mitigating these is a primary application of ingress filtering.

In Internet routing, the default-free zone (DFZ) is the collection of all Internet autonomous systems (AS) that do not require a default route to route a packet to any destination. Conceptually, DFZ routers have a "complete" Border Gateway Protocol table, sometimes referred to as the Internet routing table, global routing table or global BGP table. However, internet routing changes rapidly and the widespread use of route filtering ensures that no router has a complete view of all routes. Any routing table created would look different from the perspective of different routers, even if a stable view could be achieved.

In the context of network routing, route filtering is the process by which certain routes are not considered for inclusion in the local route database, or not advertised to one's neighbours. Route filtering is particularly important for the Border Gateway Protocol on the global Internet, where it is used for a variety of reasons. One way of doing route filtering with external-resources in practice is using Routing Policy Specification Language in combination with Internet Routing Registry databases.

The customer edge router (CE) generally refers to the router at the customer premises that is interconnected with the provider edge router of a service provider's IP/MPLS network.

DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

Hurricane Electric is a global Internet service provider offering Internet transit, tools, and network applications, as well as data center colocation and hosting services at one location in San Jose, California and two locations in Fremont, California, where the company is based.

Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized public key infrastructure (PKI) framework to support improved security for the Internet's BGP routing infrastructure.

References

  1. Zhang, Zheng; Zhang, Ying; Hu, Y. Charlie; Mao, Z. Morley. "Practical Defenses Against BGP Prefix Hijacking" (PDF). University of Michigan. Retrieved 2018-04-24.
  2. Gavrichenkov, Artyom. "Breaking HTTPS with BGP Hijacking" (PDF). Black Hat. Retrieved 2018-04-24.
  3. Birge-Lee, Henry; Sun, Yixin; Edmundson, Annie; Rexford, Jennifer; Mittal, Prateek. "Using BGP to Acquire Bogus TLS Certificates". Princeton University. Retrieved 2018-04-24.
  4. Julian, Zach (2015-08-17). "An Overview of BGP Hijacking - Bishop Fox". Bishop Fox. Retrieved 2018-04-25.
  5. Zetter, Kim (2008-08-26). "Revealed: The Internet's Biggest Security Hole". WIRED. Retrieved 2018-04-25.
  6. Sriram, Kotikalapudi; Montgomery, Doug; McPherson, Danny R.; Osterweil, Eric; Dickson, Brian (June 2016). "Problem Definition and Classification of BGP Route Leaks" . Retrieved 27 May 2021.
  7. "Technology | Pakistan lifts the ban on YouTube". BBC News. 2008-02-26. Retrieved 2016-11-07.
  8. "7007: From the Horse's Mouth". Archived from the original on 2009-02-27. Retrieved 2008-02-26.
  9. "Renesys Blog: Internet-Wide Catastrophe—Last Year". Archived from the original on 2008-02-28. Retrieved 2008-02-26.
  10. Tao Wan; Paul C. van Oorschot. "Analysis of BGP Prefix Origins During Google's May 2005 Outage" (PDF). Ccsl.carleton.ca. Retrieved 2016-11-07.
  11. "Con-Ed Steals the 'Net - Dyn Research | The New Home Of Renesys". Renesys.com. 2006-01-23. Archived from the original on 2013-03-08. Retrieved 2016-11-07.
  12. "YouTube Hijacking: A RIPE NCC RIS case study - News & Announcements from the RIPE NCC". Archived from the original on 2008-04-05. Retrieved 2008-03-31.
  13. "Brazil Leak: If a tree falls in the rainforest - Dyn Research | The New Home Of Renesys". Renesys.com. Archived from the original on 2013-04-23. Retrieved 2016-11-07.
  14. Toonk, Andree (2010-04-08). "Chinese ISP hijacks the Internet". BGPmon.net. Archived from the original on 2019-04-15. Retrieved 2019-04-15.
  15. "How Hacking Team Helped Italian Special Operations Group with BGP Routing Hijack". bgpmon.net. Retrieved 2017-10-17.
  16. "Hacker Redirects Traffic From 19 Internet Providers to Steal Bitcoins". Wired.com. 2014-08-07. Retrieved 2016-11-07.
  17. Brandom, Russell (2017-01-07). "Iran's porn censorship broke browsers as far away as Hong Kong". The Verge. Retrieved 2017-01-09.
  18. "BGP Hijacking overview - Recent BGP Hijacking Incidens". noction.com. 24 April 2018. Retrieved 2018-08-11.
  19. "BGPstream and The Curious Case of AS12389 | BGPmon". bgpmon.net. Retrieved 2017-10-17.
  20. "Popular Destinations rerouted to Russia". BGPMON. Retrieved 14 December 2017.
  21. "Born to Hijack". Qrator.Radar. Retrieved 13 December 2017.
  22. "Suspicious event hijacks Amazon traffic for 2 hours, steals cryptocurrency". 24 April 2018. Retrieved 24 April 2018.
  23. "Telegram traffic from around the world took a detour through Iran". 30 July 2018. Retrieved 31 July 2018.
  24. "Internet Vulnerability Takes Down Google". Internet and Cloud Intelligence Blog | ThousandEyes. 13 November 2018. Retrieved 13 November 2018.
  25. "Public DNS in Taiwan the latest victim to BGP hijack". 15 May 2019. Retrieved 31 May 2019.
  26. "Large European routing leak sends traffic through China Telecom". 7 June 2019. Retrieved 12 June 2019.
  27. "For two hours, a large chunk of European mobile traffic was rerouted through China". ZDNet . Retrieved 12 June 2019.
  28. "BGP Route Leak Incident Review: A Closer Look at a Route Leak" . Retrieved 14 September 2021.
  29. Siddiqui, Aftab (13 Feb 2021). "Major Route Leak by AS28548 – Another BGP Optimizer?" . Retrieved 14 September 2021.
  30. Siddiqui, Aftab (26 April 2021). "A major BGP route leak by AS55410" . Retrieved 28 May 2021.
  31. "KlaySwap crypto users lose funds after BGP hijack". 14 February 2022. Retrieved 17 Feb 2022.
  32. "BGP Hijacking of Twitter Prefix by RTComm.ru". SANS.
  33. Goodin (29 March 2022). "Some Twitter traffic briefly funneled through Russian ISP, thanks to BGP mishap". Ars Technica.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.