Yet another incident has shone a spotlight on the insecurity of Border Gateway Protocol (BGP) internet routing. On Dec. 12, a report surfaced regarding a suspicious BGP event that was misrouting sites. Analysts reviewing the data noted that it appeared targeted and may have been more than just a BGP leak.
BGP leaks and hijacks have been occurring since long before this year. In fact, data from BGPStream revealed that BGP incidents have remained steady over the last two years. However, with a string of incidents in 2017 making headlines, it’s worth discussing how this communication protocol works, outlining possible attack scenarios and reviewing its potential security shortcomings and improvements.
How Does BGP Internet Routing Work?
BGP, as defined in RFC 1163 and RFC 1267, is the internet protocol that allows independently operated networks, also called autonomous systems (AS), to inform each other about their reachability. Each time a BGP router advertises its reachability, also called IP prefix, to its neighbor, the newly received information is compared against the router’s stored knowledge. If this new advertisement provides a better path to reach a certain network, the information is updated locally and all immediate neighbors are informed. This way, in simple terms, networks worldwide can reach each other, forming the complex topology of the global internet.
Figure 1: Core AS-level 2017 internet by five Regional Internet Registries (RIRs) regions (Source: CAIDA)
New autonomous systems can emerge or disappear every day. Because its design is based on trust among systems, the BGP advertisement messages are generally accepted by any other router with means to verify neither its origin nor its integrity — and the announcements are often unencrypted.
What Could Possibly Go Wrong?
Below are three ways in which attackers can potentially abuse BGP.
- BGP route manipulation: A malicious device alters the content of the BGP table, preventing traffic from reaching the intended destination.
- BGP route hijacking: A rogue device maliciously announces a victim’s prefixes to reroute traffic to or through itself, which otherwise would not happen. Rerouting traffic can cause instability in some networks with a sudden load increase. This allows attackers to access potentially unencrypted traffic to which they would otherwise not have access or use hijacked BGP to launch spam campaigns, bypassing IP blacklist mitigation.
- BGP denial-of-service (DoS): A malicious device sends unexpected or undesirable BGP traffic to a victim, exhausting all resources and rendering the target system incapable of processing valid BGP traffic.
While some BGP incidents are intentional, others, such as BGP route leaks, may be caused by inadvertent misconfigurations within the operations of these large networks. Regardless of intent, they can render the internet vulnerable and unstable.
Figure 2: Largest outage events with geographic distribution, July 19 to Dec. 14, 2017 (Source: BGPStream)
How Real Is the BGP Threat Landscape?
By looking at isolated events and data from institutions that analyze BGP data, IBM Security can make broad assessments about the BGP threat landscape. Are these attacks changing in terms of frequency, length or impact to the stability of the internet?
BGP hijacking and leak incidents have been a recurring threat for over a decade now. One high-profile incident dates back to 2008, when a BGP hijack caused a global YouTube outage. However, in 2017 alone, several notable events cast a spotlight on BGP vulnerabilities:
- In November, a router misconfiguration at internet backbone provider Level 3 resulted in a widespread, global BGP route leak.
- In October, services such as Twitter and Google in Brazil were unreachable due to a BGP leak incident.
- In August, Japan experienced a countrywide internet outage due to leaked BGP advertisements.
- In April, a possible BGP hijack led to concerns about rerouted financial network traffic.
According to data derived from BGPStream, there has been no notable fluctuation in either possible BGP hijacks (“possible” because not all hijacks are malicious) or leaks in the past five and a half months. The exception is the notable increase in BGP leaks in August, largely a result of the massive BGP route leak by Google noted above (see Figure 3).
Figure 3: Monthly BGP Hijack and BGP Leak data, June 2017 to Dec. 15, 2017 (Source: BGPStream)
How does this compare to the longer term? A third-party report used BGPStream data to highlight the frequency of BGP leaks and possible BGP hijacks between November 2015 and May 2017. By comparing this data with data from the past six months, we can identify the following trends.
Possible BGP Hijacks
For the first half of 2016, possible BGP hijacks fluctuated between approximately 150 and 200 incidents per month. During the second half of 2016, however, the frequency increased slightly to around 230 incidents per month. For 2017, approximately 200 incidents occurred between January and November. This data, therefore, does not reflect an increase in BGP hijacks over the last two years.
In 2016, the monthly average of BGP leaks was around 184. Aside from the stark increase of leaks in August 2017 (as shown in Figure 3), the volume has remained relatively static throughout 2017. Removing the August anomaly, the monthly average is 226 leaks. While this denotes an increase year over year, it is not a significant boost.
BGP Threat Mitigation: What Can Be Done?
BGP incidents put the internet’s stability at risk. For many internet providers, routing security only becomes a priority in the aftermath of an incident. However, long-term protection against BGP abuse requires organizations to implement security measures.
Fortunately, there is a silver lining. Given the dimension of the problem to be tackled, standardization bodies such as the Internet Engineering Task Force (IETF) and agencies such as the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) are teaming up to provide a better set of security standards for BGP. Through this effort, the agencies have made available the Secure Inter-Domain Routing (SIDR) framework with a focus on the following three components: Resource Public Key Infrastructure (RPKI), BGP Origin Validation and BGP Path Validation (BGPSec).
This initiative is supplemented by enormous efforts to make BGP data available. Entities such as router equipment vendors, internet content and access providers, and transit networks are encouraged to share data to help solve this problem.
Organizations seeking to protect their networks from BGP internet routing attacks can leverage BGPSec, an extension of BGP that provides additional security. When used in conjunction with origin validation, it may prevent a variety of route hijacking attacks. The downside is that BGPSec can potentially result in more complexity in routing updates and may require more hardware to compute signatures — possibly a large infrastructural change with many unknowns for some operators. Security firm Team Cymru also developed a list of BGP templates to help organizations secure BGP on their routers.