Earlier this month, Thousand Eyes reported an incident where global internet traffic was hijacked from a Nigerian ISP and redirected through Russian and Chinese networks. The activity occurred around 1300 PST on November 12th, 2018 to effectively redirect all traffic related to Google’s G Suite, Google Search, and Google Analytics for approximately one hour.
This type of incident is known as ‘Border Gateway Protocol (BGP) Hijacking’ and is a targeted attack against the interconnection(s) between different Internet routing entities typically referred to by Autonomous System Numbers (ASNs). In normal scenarios, BGP peering agreements and exchanges configure/connect a number of IP addresses that are responsible for the effective and efficient routing of traffic (between ASNs) from various Internet Service Providers, or ISPs. However, when BGP hijacking occurs, the normal flow of client traffic crossing ASN boundaries is disrupted, often dropped, and can be deliberately redirected to alternative paths.
Let’s examine, for a moment, the recent event impacted Google traffic; the figure below depicts how a BGP peering agreement (in this case essentially a redundancy measure) between an American and Nigerian ISP was manipulated to curiously redirect Google traffic through Chinese and Russian networks.
Why is this concerning?
Large-scale incidents of BGP hijacking are especially concerning because ‘redirected’ traffic, can be easily intercepted, stored, or cause any number of other undesired effects. The self-declared cause of the majority of these accidents is operator error, and typically involve two factors: 1) an inexperienced operator that lacks knowledge in BGP/Internet Routing and 2) a failure in change control management that allows these misconfigurations to go through without appropriate supervision.
This is further compounded by the lack of any actual governance with regard to the sharing of IP addresses and preferred routes between Internet routing nodes (i.e., ASNs). Today BGP is largely a trust-based system, where restrictions and specific configuration settings are dictated by the ISPs behind each ASN. In fact, a quick look at BGPMON demonstrates just how delicate the trust model of BGP currently is with roughly 14,000 incidents in 2017 alone. These incidents are the sum of outages, route leaks, and hijacks.
‘Accidents’ have Consequences
BGP-related incidents and their subsequent traffic disruptions often carry significant real-world consequences, including Denial of Service (DoS) events and network traffic being carried through unintended jurisdictions, which brings compliance issues. A prime example of what can happen when large amounts of traffic are accidentally redirected can be seen in the 2015 DDoS effects of China’s Great Firewall, where flawed censorship technology unintentionally bounced large volumes of traffic to random websites and effectively DoS’d swathes of websites.
JASK SpecOps routinely tracks this type of BGP-related activity in the wild, and the graphic below represents DoS activity observed from AS22769 in early November (beginning Nov 4 at 11am EST, and terminating Nov 5 at 9am EST). This type of activity is increasingly more common and routinely leads to service level interruptions in organizations of all sizes.
While rarer, BGP hijacking intentionally disrupts routing for more malicious purposes and redirects traffic to targeted destinations. For example, a recent traffic hijack/disruption against AWS DNS service caused all traffic directed towards a cryptocurrency service to be redirected to a malicious site, effectively targeting all time-coincidental clients of such service. Motivations for such attacks often include at-scale collection efforts with purposes of surveillance, espionage, information stealing, etc.
Even if traffic is encrypted, potential correlations across other data sets (i.e., breach data, social engineering, etc.) and the ever-evolving field of cryptography (e.g., quantum computing) offer compelling incentives for storing collection for use at a later date.
It should also be noted BGP hijacking attacks require direct access to and manipulation of core ASN configurations (i.e., BGP filters). This level of access typically represents the work of nation-state actors, who possess the capabilities and motivation for sponsoring such attacks. Countries with a history of surveillance and strict Internet controls, specifically when it comes to blocking content and filtering traffic of internet users, are usually suspected to be behind these type of incidents.
Preventing BGP-related Incidents?
It is clear that instances of both BGP hijacking and unintentional errors introduced into routing configurations can lead to traffic redirections that carry significant impacts to targeted and random victims alike. The more than 17,000 BGP-related events of 2017 led to both intentional and unintentional DoS events and also carried significant risk of compromise to account holders (and their traffic related to) services such as MyEtherWallet, Google, and potentially many others. The ongoing occurrence of these events raises questions as to whether the legacy system of “trust” within internet traffic routing nodes could benefit from the introduction and enforcement of more strict control policies (e.g., configuration management).
One possible solution could be the application of a ‘trust but verify’ approach, where if significant route changes are going to be applied and these changes affect other jurisdictions, companies and services, such affected entities need to be notified in order tdo approve or reject the route changes. Such an approach is already being adopted by many more legitimate ISPs, but its application is completely voluntary and counter-intuitive to the business interests of many ASNs. The Internet society has also proposed a series of recommendations to prevent BGP hijacking, and there are a number of other sources including specific ISPs that have pushed recommendations to help solve this problem.
With trust in the Internet becoming increasingly more fundamental for so many of our everyday activities and both professional and personal interactions, it is time to address the weaknesses in our current BGP implementation for good.