The quest to make routing more secure Protecting against BGP hijack attacks

Image: Cloudflare

When you visit a webpage, send out an e-mail or watch a funny cat video, how does that particular piece of data find its way from one end of the Internet to the other? You may be aware that the Internet is a collection of many smaller networks, connected to each other using routers. When a router recieves a packet of information, it will check the destination address and then forward it to the next router along the way. That router repeats the process, and so on, until the final destination is reached. So, how do routers know in what direction they should be forwarding these packets? The answer is that they use routing protocols to share information with one another. Suppose that router A knows of a way to reach a certain destination. It will communicate this route to other routers. On receiving this information, router B may answer: sure, you may know of a way to reach that destination, but I know this shorter route!

The Border Gateway Protocol

To connect various different networks together, we really all need to speak the same language. The routing protocol that thus forms the backbone of the Intenet is BGP, the Border Gateway Protocol. Like many of the fundamental protocols that make the Internet work, it was not designed with much focus on security. Routers will simply accept the updates they receive from other routers, without validating the authenticity. And this is, in fact, a big problem!

BGP hijack attacks

Even if I have no particular way to reach certain destinations, I could just tell other routers that I do and, while I’m at it, promise them very short routes as well. Routers will then start forwarding their traffic to me. Performing such a BGP hijacking attack would allow me to intercept traffic, listen in on conversations or even modify the messages that are now passing through my network. In fact, in the last few years we have seen many instances where large parts of Internet traffic were rerouted in suspicious ways. Sometimes this can be caused by a simple configuration error at an ISP, but sometimes the intent would appear to be malicious, such as when China Telecom rerouted large parts of European mobile traffic through China (and not for the first time either).

Protecting BGP

Fortunately, there is a solution: Resource Public Key Infrastructure (RPKI) uses cryptography to add digital signatures to route announcements, allowing their origin to be verified. However, as is often the case when new additions to Internet protocols are needed to solve existing issues, the biggest challenge isn’t just to come up with a technical solution, but in getting everyone to actually implement it. Not nearly enough people and networks are using RPKI. This may be about to change though: the MANRS initiative, after previously focusing on Internet Service Providers, has started a new taskforce to help Content Delivery Networks, Cloud Providers and Internet Exchanges improve their BGP security. Big players like Akamai, Amazon, Cloudflare, Facebook, Google and Microsoft are putting their weight behind this.

So finally, while these big names are at work making our Internet more secure, is there anything you can do yourself? In fact there is: you can take this simple test at IsBGPSafeYet.com to find out if your own Internet Service Provider offers a secure BGP implementation. Let us know if they do in the comments below!

Leave a Comment

Your email address will not be published.