Yet another incident has shone a spotlight on the insecurity of Border Gateway Protocol (BGP) internet routing. On Dec. 12, a report surfaced regarding a suspicious BGP event that was misrouting sites. Analysts reviewing the data noted that it appeared targeted and may have been more than just a BGP leak.

BGP leaks and hijacks have been occurring since long before this year. In fact, data from BGPStream revealed that BGP incidents have remained steady over the last two years. However, with a string of incidents in 2017 making headlines, it’s worth discussing how this communication protocol works, outlining possible attack scenarios and reviewing its potential security shortcomings and improvements.

How Does BGP Internet Routing Work?

BGP, as defined in RFC 1163 and RFC 1267, is the internet protocol that allows independently operated networks, also called autonomous systems (AS), to inform each other about their reachability. Each time a BGP router advertises its reachability, also called IP prefix, to its neighbor, the newly received information is compared against the router’s stored knowledge. If this new advertisement provides a better path to reach a certain network, the information is updated locally and all immediate neighbors are informed. This way, in simple terms, networks worldwide can reach each other, forming the complex topology of the global internet.

Figure 1: Core AS-level 2017 internet by five Regional Internet Registries (RIRs) regions (Source: CAIDA)

New autonomous systems can emerge or disappear every day. Because its design is based on trust among systems, the BGP advertisement messages are generally accepted by any other router with means to verify neither its origin nor its integrity — and the announcements are often unencrypted.

What Could Possibly Go Wrong?

Below are three ways in which attackers can potentially abuse BGP.

  • BGP route manipulation: A malicious device alters the content of the BGP table, preventing traffic from reaching the intended destination.
  • BGP route hijacking: A rogue device maliciously announces a victim’s prefixes to reroute traffic to or through itself, which otherwise would not happen. Rerouting traffic can cause instability in some networks with a sudden load increase. This allows attackers to access potentially unencrypted traffic to which they would otherwise not have access or use hijacked BGP to launch spam campaigns, bypassing IP blacklist mitigation.
  • BGP denial-of-service (DoS): A malicious device sends unexpected or undesirable BGP traffic to a victim, exhausting all resources and rendering the target system incapable of processing valid BGP traffic.

While some BGP incidents are intentional, others, such as BGP route leaks, may be caused by inadvertent misconfigurations within the operations of these large networks. Regardless of intent, they can render the internet vulnerable and unstable.

Figure 2: Largest outage events with geographic distribution, July 19 to Dec. 14, 2017 (Source: BGPStream)

How Real Is the BGP Threat Landscape?

By looking at isolated events and data from institutions that analyze BGP data, IBM Security can make broad assessments about the BGP threat landscape. Are these attacks changing in terms of frequency, length or impact to the stability of the internet?

BGP hijacking and leak incidents have been a recurring threat for over a decade now. One high-profile incident dates back to 2008, when a BGP hijack caused a global YouTube outage. However, in 2017 alone, several notable events cast a spotlight on BGP vulnerabilities:

  • In November, a router misconfiguration at internet backbone provider Level 3 resulted in a widespread, global BGP route leak.
  • In October, services such as Twitter and Google in Brazil were unreachable due to a BGP leak incident.
  • In August, Japan experienced a countrywide internet outage due to leaked BGP advertisements.
  • In April, a possible BGP hijack led to concerns about rerouted financial network traffic.

According to data derived from BGPStream, there has been no notable fluctuation in either possible BGP hijacks (“possible” because not all hijacks are malicious) or leaks in the past five and a half months. The exception is the notable increase in BGP leaks in August, largely a result of the massive BGP route leak by Google noted above (see Figure 3).

Figure 3: Monthly BGP Hijack and BGP Leak data, June 2017 to Dec. 15, 2017 (Source: BGPStream)

Long-Term Trends

How does this compare to the longer term? A third-party report used BGPStream data to highlight the frequency of BGP leaks and possible BGP hijacks between November 2015 and May 2017. By comparing this data with data from the past six months, we can identify the following trends.

Possible BGP Hijacks

For the first half of 2016, possible BGP hijacks fluctuated between approximately 150 and 200 incidents per month. During the second half of 2016, however, the frequency increased slightly to around 230 incidents per month. For 2017, approximately 200 incidents occurred between January and November. This data, therefore, does not reflect an increase in BGP hijacks over the last two years.

BGP Leaks

In 2016, the monthly average of BGP leaks was around 184. Aside from the stark increase of leaks in August 2017 (as shown in Figure 3), the volume has remained relatively static throughout 2017. Removing the August anomaly, the monthly average is 226 leaks. While this denotes an increase year over year, it is not a significant boost.

BGP Threat Mitigation: What Can Be Done?

BGP incidents put the internet’s stability at risk. For many internet providers, routing security only becomes a priority in the aftermath of an incident. However, long-term protection against BGP abuse requires organizations to implement security measures.

Fortunately, there is a silver lining. Given the dimension of the problem to be tackled, standardization bodies such as the Internet Engineering Task Force (IETF) and agencies such as the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) are teaming up to provide a better set of security standards for BGP. Through this effort, the agencies have made available the Secure Inter-Domain Routing (SIDR) framework with a focus on the following three components: Resource Public Key Infrastructure (RPKI), BGP Origin Validation and BGP Path Validation (BGPSec).

This initiative is supplemented by enormous efforts to make BGP data available. Entities such as router equipment vendors, internet content and access providers, and transit networks are encouraged to share data to help solve this problem.

Organizations seeking to protect their networks from BGP internet routing attacks can leverage BGPSec, an extension of BGP that provides additional security. When used in conjunction with origin validation, it may prevent a variety of route hijacking attacks. The downside is that BGPSec can potentially result in more complexity in routing updates and may require more hardware to compute signatures — possibly a large infrastructural change with many unknowns for some operators. Security firm Team Cymru also developed a list of BGP templates to help organizations secure BGP on their routers.

Interested in emerging security threats? Read the latest IBM X-Force Research

More from Network

Beware of What Is Lurking in the Shadows of Your IT

This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT is the use of any hardware or software operating within an enterprise without the knowledge or permission of IT or Security. IBM Security X-Force responds…

Beyond Shadow IT: Expert Advice on How to Secure the Next Great Threat Surface

You've heard all about shadow IT, but there’s another shadow lurking on your systems: Internet of Things (IoT) devices. These smart devices are the IoT in shadow IoT, and they could be maliciously or unintentionally exposing information. Threat actors can use that to access your systems and sensitive data, and wreak havoc upon your company. A refresher on shadow IT: shadow IT comes from all of the applications and devices your employees use without your knowledge or permission to get…

X-Force 2022 Insights: An Expanding OT Threat Landscape

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT asset owners and operators, all of whom understand the need to keep critical infrastructures running safely, need to be aware…

How to Compromise a Modern-Day Network

An insidious issue has been slowly growing under the noses of IT admins and security professionals for the past twenty years. As companies evolved to meet the technological demands of the early 2000s, they became increasingly dependent on vulnerable technology deployed within their internal network stack. While security evolved to patch known vulnerabilities, many companies have been unable to implement released patches due to a dependence on legacy technology. In just 2022 alone, X-Force Red found that 90% of all…