How to detect and avoid BGP insecurity and hijacks

Border Gateway Protocol (BGP) is the core routing protocol of the internet. It enables routers to determine the optimal path for data to reach its destination. However, BGP is marred by inherent vulnerabilities, leading to dangerous hijacking incidents.

These incidents can prove fatal for the network infrastructure and the internet as a whole. This article will discuss the significance of BGP security, the different types of BGP hijacks, and how to detect and protect against them.

What is BGP?

BGP is an exterior gateway protocol that is fundamental in transmitting information across the internet. It enables the exchange of routing data between different Autonomous Systems (ASes) on the internet.

An AS represents a collection of networks under a single administrative domain, such as a large organization or an internet service provider (ISP). BGP allows routers present in different ASes to exchange information related to available network prefixes. Any two routers that have formed a connection for exchanging BGP data are known as peers.

These network prefixes indicate the range of IP addresses assigned to a specific network. BGP routers in an AS advertise their network prefixes to neighboring ASes. The advertised routes contain information about the originating AS, the path to reach its network, and other attributes to help determine the best path for routing.

Through this information exchange, BGP routers construct a comprehensive map of network reachability, which serves as the foundation of the internet's interconnected infrastructure.

How is BGP hijacked?

BGP is insecure by design. It has several architectural limitations that make it susceptible to targeted attacks. For example, BGP lacks robust techniques to verify the authenticity of routing information. It doesn’t support native encryption so attackers can intercept BGP messages and manipulate their content. Moreover, BGP is a complex protocol that is not always easy to configure correctly.

Let's explore some common types of BGP hijacks:

Route leaks

Route leaks occur when an AS announces incorrect routing information to other ASes. This can occur due to a misconfiguration, security breach, or a deliberate attack. Route leaks can result in unintended traffic redirection, leading to potential disruptions.

Misconfigurations

BGP routers can be misconfigured in a way that allows an attacker to hijack traffic. These misconfigurations typically arise from human error during the setup or maintenance of BGP routers. For example, if a BGP router is misconfigured to advertise routes for IP addresses it does not own, it can cause traffic to be diverted to unauthorized destinations.

Prefix hijacking

Prefix hijacking is a type of BGP hijack where an attacker announces a network prefix that they do not own. By making this fraudulent announcement, the attacker can divert legitimate traffic (destined for the announced prefix) to their own network. This redirection allows the attacker to potentially access sensitive information.

Man-in-the-middle attacks

BGP man-in-the-middle (MITM) attacks occur when an adversary intercepts BGP messages between routers and manipulates the routing information. By impersonating a legitimate AS, the adversary can redirect traffic, eavesdrop on communication, or inject malicious content into the network. Such attacks pose serious risks, including unauthorized access to sensitive information and compromised network integrity.

Session hijacking

Session hijacking occurs when an attacker takes over an ongoing BGP session between two routers. Attackers exploit the protocol’s vulnerabilities to hijack the session and manipulate routing decisions. For example, they may inject false routing information to disrupt network operations.

What are the impacts of BGP hijacking?

BGP hijacking carries significant consequences that can deeply impact network infrastructure and overall security. Let’s look at a few:

Traffic redirection

BGP hijacking can be used to redirect traffic to a malicious website or server. This can lead to significant disruptions, causing delays, loss of connectivity, and potential data leakage. For example, an attacker could hijack traffic for a bank's website and redirect it to a fake website that looks like the real one. Users may unknowingly enter their login credentials on the fake site, which are then exposed to the attackers.

Service disruption

BGP hijacks can disrupt essential services and connectivity. Rerouted traffic can lead to network instability, which can cause critical services to either become inaccessible or experience degraded performance. This can result in significant financial losses, reputational damage, and operational challenges for organizations and service providers.

Data interception and manipulation

BGP hijacking opens avenues for attackers to intercept and manipulate data as it is transmitted over the internet. This can be used to steal sensitive data, including passwords, credit card numbers, and other personal information. It can also be used to manipulate the intercepted data, leading to unauthorized modifications or data tampering.

Denial of Service (DoS)

BGP hijacks can facilitate denial-of-service (DoS) attacks against websites or online services. Attackers may reroute traffic to intentionally overload network resources, rendering services inaccessible to legitimate users. This can result in service downtime, loss of productivity, and financial repercussions for the affected business.

National security risks

BGP hijacking poses a significant threat to critical national infrastructure, such as power grids, financial systems, and government networks. The implications for national security and the economy can be severe. Consider the scenario where an attacker successfully hijacks traffic intended for a power grid. By disrupting the flow of legitimate traffic, they can force the grid offline, leading to widespread power outages and significant disruptions.

How to detect BGP insecurity and hijacks

Detecting BGP insecurity and hijacks is crucial for maintaining the integrity and security of network infrastructure. Here are a few measures to help you detect and respond to BGP-related threats effectively:

Route monitoring and anomaly detection

Early detection of potential BGP hijack attempts is crucial to prevent significant damage. To achieve this, organizations can leverage BGP monitoring and anomaly detection tools. BGP monitoring tools can be used to detect BGP leaks, analyze BGP routing tables, and track path changes. They can also be used to identify suspicious activity, such as frequent changes to routing tables or malicious prefix announcements.

Intrusion detection tools can be used to detect BGP-related attacks, such as man-in-the-middle attacks and session hijacking. These tools identify suspicious network activity that could indicate an ongoing hijack attempt or unauthorized access.

BGP security best practices

There are a number of best practices that can be followed to improve BGP security. These include:

• Using strong passwords: Strong passwords should be used for all network devices that are part of the BGP ecosystem. This includes servers, routers, and any configuration portals.
• Disabling unnecessary features: Disable unnecessary features on network devices to reduce the overall attack surface. This includes features such as remote management and unused routing protocols.
• Using a firewall: Protect BGP routers from unauthorized access by using a well-configured firewall. The firewall should only allow inbound traffic from trusted sources.
• Applying patches: Apply security patches to BGP routers as soon as they are available. This will help to protect against known vulnerabilities.
• Regularly performing vulnerability assessment: Regularly scan for any vulnerabilities in router firmware, configurations, or the networking layer.

Monitor the data plane

Monitoring the BGP data plane is a crucial aspect of detecting and mitigating BGP hijacks. By analyzing BGP updates, messages, and other protocol information in real time, organizations can proactively identify any malicious activity or anomalies.

With the help of BGP monitoring tools, organizations can track important metrics, like the number of exchanged BGP updates, the source and destination of BGP updates, the path that BGP updates take, and the advertised prefixes.

Active monitoring of these metrics can help detect potential BGP hijacks. For example, sudden and significant changes in the number of BGP updates can be a sign of malicious activity.

BGP path monitoring

Monitoring the consistency of BGP paths is another way to detect potential hijacks and anomalies in routing. This involves checking if the paths received from different Autonomous Systems match, or if there are any discrepancies.

A common way to monitor BGP paths is by collecting and examining BGP routing tables from different points in the network, like route collectors or peers. Variations in the paths advertised for specific IP prefixes can indicate potential hijacks or anomalies.

For example, if a BGP router suddenly starts advertising a different path for a specific IP prefix than what was expected, it indicates a potential BGP hijack. Similarly, if a BGP router advertises a path that it’s not authorized to advertise, it could be a sign of a BGP leak.

Collaborative detection

Collaborative detection initiatives play a vital role in BGP security. Organizations can participate in platforms like the Internet Routing Registry (IRR), the Routing Information Service (RIS), and the Mutually Agreed Norms for Routing Security (MANRS) initiative.

The IRR is a database of BGP routing information. The RIS is a service that provides real-time information about BGP routing updates. The MANRS initiative outlines a set of best practices for improving BGP security.

By participating in these platforms, and actively sharing data and insights, organizations can benefit from a collective intelligence approach against BGP hijacks. Through collaboration, organizations can leverage the experiences and expertise of others to improve the overall awareness and responsiveness to BGP hijacking incidents.

Best practices to protect against BGP hijacks

Enhancing the overall security of your network infrastructure and reducing your attack surface can significantly mitigate the threat of BGP hijacks. Let’s explore some key measures that you can take.

Implement Resource Public Key Infrastructure (RPKI)

Resource Public Key Infrastructure, or RPKI, is a cryptographic framework that’s used to verify the authenticity of BGP routing announcements. RPKI uses digital signatures to create Route Origin Authorizations (ROAs).

ROAs are digitally signed objects that bind IP address prefixes to specific Autonomous Systems. Routers rely on authorized ROAs to verify that BGP route announcements are coming from an authorized source. This ensures that only legitimate routes are accepted, preventing the propagation of unauthorized or invalid routes.

Here are the steps to implement RPKI:

• Check if your routers support RPKI. If they do, you’ll have to enable the RPKI validator and configure it properly. If they don’t, you’ll have to get routers that support RPKI.
• Register your IP address blocks with the appropriate Regional Internet Registry (RIR). This is required to generate ROAs for your IP address blocks.
• Obtain the RPKI trust anchors from the RIR. These trust anchors will be used to verify the authenticity of ROAs.
• Create the ROAs for your IP address blocks, and submit them to the RIR.
• Configure your BGP routers to start using ROAs. The specific steps may differ depending on your router vendor and model.

Implement BGP Security (BGPsec)

BGPsec, as the name indicates, is a security extension for BGP. It provides secure origin validation and path validation for BGP updates. BGPsec adds cryptographic signatures to BGP messages, ensuring that only legitimate routing information is accepted by routers and other network entities.

Follow these steps to implement BGPsec for your network:

• Check if your routers support BGPsec. Not all routers offer built-in BGPsec support, so if yours don’t, you will have to get new routers.
• Generate and distribute BGPsec certificates to all routers. These certificates will be used to sign BGPsec messages.
• Configure your routers to sign outgoing messages and verify the signatures of incoming messages.
• Regularly monitor BGP logs to detect any anomalous behavior and prevent BGP hijacks.

Secure authentication and session establishment

Strong authentication and secure session management are crucial to prevent unauthorized access to BGP routers and other network entities. Administrators should enforce strict policies to safeguard the login process, such as avoiding password reuse and enabling multi-factor authentication (MFA) for added protection.

Additionally, cryptographic algorithms, like MD5 or SHA-256, can be used to verify the identity of BGP peers. For instance, you can use MD5 authentication to validate the connection between two peers before allowing them to form a TCP session.

If you are using authentication keys, it’s recommended to regularly update them to mitigate the risk of compromised credentials. To further enhance security, you can use IPsec or Transport Layer Security (TLS) to secure BGP sessions, ensuring confidentiality and integrity of communication.

Prefix filtering and route validation

Prefix filtering and route validation mechanisms can be used to identify and block suspicious or unauthorized route advertisements. Network operators can define strict filtering policies based on various criteria, such as the prefix length, originating AS, or ROA validation status.

These prefix filters act as a safeguard, allowing BGP routers to only accept and advertise legitimate routes. By filtering out potentially malicious or unauthorized routes, the risk of unintended or malicious route propagation is significantly reduced.

For example, suppose you want to block route announcements originating from the AS “12345” in your BGP environment. To achieve this, you can add a filter to your routers that denies routes from “12345”. This will ensure that any routes originating from this AS will not be allowed to propagate across your network.

Moreover, regularly validating received routes against authorized ROAs adds an extra layer of protection. By ensuring the validity of received routes, network operators can ensure that any unauthorized routes are dropped before they cause any harm.

Implement BGP route refresh

BGP route refresh is a feature that allows BGP routers to update their routing tables without having to close and reestablish BGP sessions. Route refresh enables operators to enhance network stability, reduce the impact of misconfigurations, and ensure the integrity of the BGP routing infrastructure.

With BGP route refresh, operators can quickly refresh the routing information between BGP peers, ensuring smooth operations without downtime. They can also quickly correct misconfigured routes, significantly reducing the risk of routing leaks and maintaining a secure BGP environment.

Conclusion

BGP is a critical protocol for the internet, but it is also vulnerable to several attacks. BGP hijacks pose serious threats to network infrastructure, potentially causing traffic redirection, service disruptions, data interception, denial-of-service attacks, and even national security risks.

To detect and mitigate BGP hijacks, organizations should use proactive measures, like route monitoring, anomaly detection, BGP path analysis, and collaborative detection initiatives. They should also follow the best practices outlined above, such as using strong passwords, disabling unnecessary features, and configuring a robust firewall.

Implementing RPKI and BGPsec, setting up prefix filtering, and using strong authentication can enhance the overall security of a BGP infrastructure. BGP may be inherently insecure, but with the right security controls and policies, you can significantly decrease your network’s attack surface.