Recent news of BGP hijacks shows attackers are increasingly using this attack method. In WatchGuard’s 2019 security predictions, we predicted that a BGP exploit could take down substantial portions of the internet this year. But how could this happen? If you are unfamiliar with BGP it might make it hard to understand how someone could accidentally send traffic to one location that was meant for another. Does the traffic not know where to go? We don’t send mail to China when the address has Brazil on it. But going further in this example, if our mail sent to Brazil makes a stop in Panama and Panama sends it to China then someone hijacked the mail like a BGP hijack. Someone in the middle, sending traffic (mail) to the wrong place either on purpose or by mistake. Let’s get more background on how a BGP hijack works.
To understand how someone can steal IP addresses you must first understand routing. For those that might not already know, IP routing defines the route traffic takes on the internet. Routers (network hardware) along the internet backbone have route tables that control these traffic routes. You can configure route tables manually with static routes or automatically with dynamic routes using protocols like Border Gateway Protocol (BGP), Open Shortest Path First (OSPF) or Enhanced Interior Gateway Routing Protocol (EIGRP). With over 750,000 BGP prefixes, network administrators can find it difficult to manually input routes into their routing table. As you can imagine with the internet, it would be impossible to manually control all of the necessary routes. Dynamic routing comes to the rescue for this task in the form of BGP.
I’ll try not to bore you with the details on how BGP works but we should understand some basic principles of the protocol. BGP is the primary routing protocol for the internet backbone. Using BGP, ISPs and large organizations advertise network prefixes (think, subnets) that they control or own. But not all advertised prefixes are added to the routing table. Any number of prefixes under the control of an organization or ISP is called an Autonomous System (AS for short) which maps to an Autonomous System Number (ASN). Google’s ASN for example is AS15169. Regional Internet Assigned Numbers Authorities (IANA) are in charge of assigning ASNs and network prefixes to organizations.
Routers that participate in the internet backbone use BGP’s path selection algorithms to automatically decide which route traffic they receive should take to reach any given prefix, which may include traversing other autonomous systems. Let’s say I own an ISP. For my ISP to advertise a prefix of my own network, I must first must learn about the route either from any other dynamic routing protocol or even from a static route. My ISP then adds this route to its prefix list. I then advertise the prefix list to all my BGP peers using my ASN. Because most organizations don’t share a direct connection with each other, they pass along their prefix advertisements to each other. Each Autonomous System router ends up with a list of other ASNs and prefixes that it advertises to other Autonomous Systems. This way traffic gets from ISP “A” can get to ISP “B” even if they don’t have a direct connection.
Now let’s say I created a dishonest ISP. I decide that I will advertise Googles prefixes even though I don’t have a good route to it. I also manipulate the advertisement, containing the prefix list, to say that I have the best route to Google. If other ISPs accept my advertisement, then they will route Googles traffic to me. It is that simple. Maybe not the BGP part but the false advisement of Googles prefixes.
Network admins can mitigate this. Using prefix access control lists will prevent a rouge Autonomous System using you to advertise bad prefixes. These prefix access control lists don’t need to cover all 750,000 routes. A simple access control lists would prevent obvious bad routes from happening. Like sending traffic to over the Pacific Ocean for access to a server in New York (I am in Seattle Washington.) The BGP protocol itself can’t resolve Autonomous System spoofing but most implementations have TCP authentication implemented with BGP. You can also use Prefix Origin Validation with Resource Public Key Infrastructure (RPKI) to validate advertisements that you receive. This way we can ensure traffic comes from the correct ASN.
A few years ago, while learning about BGP I had a discussion on how ISPs must implement BGP better. We thought there was no way ISPs could simply go on as they have without BGP authentication and prefix access control lists. While some ISPs have added this, many have not. All documentation on BGP best practices have authentication and prefix access control lists as a must with any implementation of BGP. So why do some ISPs still not fallow this? Hopefully with enough push from us and their customers they will secure there BGP prefix tables and keep the internet or at least large portions of it from going down this year.
Leave a Reply