BGP stands for Border Gateway Protocol which is a routing protocol. BGP is used to transfer data and information between different host gateways, the Internet or autonomous systems. An autonomous system (AS) is an extensive network or group of networks managed by a single organization.
It is a Path Vector Protocol (PVP) that maintains paths to different hosts, network and gateway routers and determines the routing decision based on that. Simply put, it provides directions so that the traffic travels from one IP address to another as efficiently as possible.
How BGP works
When a user types in a website name and the browser finds and loads it, the requests and response go back and forth between the IPs of the user and the website. The DNS (Domain Name System) servers provide the Ip addresses, but BGP (Border Gateway Protocol) offers the most efficient way for the IP address to reach the concerned IP address.
This means DNS is the Internet’s address book and BGP is the road map. BGP always favors the shortest and the most direct path from autonomous systems to an autonomous system to reach IP addresses through the fewest possible hops across the networks.
Importance of BGP
Understanding BGP hijacks is very important since if it is misconfigured, it can cause massive availability and security problems. Google discovered so in 2008 when YouTube service became unreachable to large portions of the Internet.
It happened so to ban YouTube in its home country, Pakistan Telecom used BGP to route YouTube’s address book into a black hole.
This routing information somehow got transmitted to Pakistan Telecom’s Hong Kong ISP and from there got propagated to the rest of the world. As a result, most of YouTube’s traffic ended up in a black hole in Pakistan.
How does BGP hijacking work?
When an autonomous system(AS) announces a route to IP BGP prefix that it does not control itself, this announcement if not filtered can spread and be added to the routing tables in BGP routers across the Internet. From that moment until being noticed and corrected, the traffic to those IPs will be routed to that AS.
For a BGP hijack to be successful, the route announcement must either:
- Offer a more direct route by announcing a smaller range of IPs than the other AS’s had previously announced.
- Offer a shorter route to individual blocks of the IPs. Just no one can announce the broader internet. For the hijack to occur, the notification must be made by the operator of an AS or by a threat actor who has compromised an AS.
Once BGP is hijacked, the web traffic can go the wrong way, be monitored or intercepted, be black-holed (Like that of YouTube in 2003), or be re-directed to fake websites.
In some cases, spammers can use BGP hijacking to spoof legitimate IP’s for spamming purposes. As a result of hijacking, the user will face longer page load times since the requests and responses will not follow the most efficient and shortest route, and it may even travel around the world unnecessarily.
How to defend from BGP hijacking
The problem is that BGP was created long before security was a significant concern. BGP assumes that all the networks are trustworthy and since there are no built-in security mechanisms to validate the legitimacy of the routes; you cannot do much.
Moreover, the networks are scattered across the globe, which makes the chain of trust challenging to trace, and even you try to validate information, there is a lack of reliable data.
Therefore, aside from constant monitoring of how internet traffic is routed, users and networks can I do very little. Some of those steps are:
- IP Prefix Filtering – Networks should only accept IP prefix declarations if necessary and should also only declare their IP prefix to specific networks rather than the entire. By doing so, it will help prevent accidental route hijacking and can also, keep the AS from accepting false IP prefix declarations. But this can be very difficult to enforce in reality.
- BGP Hijacking Detection – When users/networks face increased latency, degraded network performance, and misdirected internet traffic, these are possible signs of BGP hijacking. Larger networks usually monitor their BGP hijacking updates to ensure that their clients do not face these issues. There are a few security researchers that monitor Web traffic and publish their findings. That information can also be used to help networks make their monitoring better.
Making BGP More Secure
BGP routing security was designed to make the internet function smoothly. But, it was not created keeping security in mind. But now that security is an upcoming concern, more secure routing solutions for Internet Privacy are being developed.
One of them is BGPsec which ensures that the router also includes the AS number that it’s sending the update to which then generates a cryptographic signature over the information that is added to the AS path. But, at this moment, BGPsec is still an upcoming solution which is far from being implemented or adopted for now.
Learn more about Cyber Security