What is a Border Gateway Protocol (BGP) Attack?

Introduction

Decades ago, the best way to figure out how to drive from point A to point B was to grab a copy of a Road Atlas or, with the advent of computers and the internet, map your route online and print it. Now with smart phones and real-time updates, you can select from various route options: total travel time, tolls/no-tolls, fuel efficiency, even HOV availability. And if an accident happens that slows down traffic, you’re automatically notified and given the option to reroute.

Unfortunately, the world’s busiest and, arguably, most important connectivity network – the Internet – has no such mapping capabilities. Instead, users rely on Border Gateway Protocol (BGP) to send traffic from point A to point B with shockingly few mechanisms in place to ensure a smooth trip.

In this blog, we’ll shed light on the flaws of BGP and the potential risks and disruption BGP attacks can cause to networks and organizations. We’ll also explore how BGP attacks work, including BGP DDoS attacks, while also offering guidance on how to detect and protect against this cyber threat.

Understanding Border Gateway Protocol (BGP)

Before we get into the mechanics of a Border Gateway Protocol (BGP) attack, it’s important to understand what BGP is. BGP is the routing protocol that gets your message to the recipient and operates at Layer 4 of the OSI model. It looks for all the available paths that message could take, picks the best one, and routes your message from one IP address to another accordingly.  

BGP routers store routing tables with the best routes between autonomous systems (AS) that make up the Internet. An AS is a smaller network with a pool of BGP routers run by a single organization – usually an ISP or a large organization like a university, technology company, or a government agency. Each AS must be kept up to date with routes, so it shares its routing information with other neighboring autonomous systems to maintain routing tables.

Importance of BGP in Global Network Connectivity

Were it not for BGP there would be no way to route traffic efficiently between IP addresses, as the Internet has no governing body that determines the most efficient routes for data to travel. Without BGP, it would likely take a great deal longer for messages to travel with some messages never reaching their intended destination.

However, as important as BGP is for efficient communication, it was never designed with security in mind. This leaves it open to attacks.

Basics of Border Gateway Protocol Attacks

Autonomous systems trust that the BGP routes they learn from other autonomous systems will be correct. If a BGP route changes, a message is sent to the AS and the AS shares that information with adjacent autonomous systems in the form of an announcement. It is this inherent trust that creates security issues that can spread and impact multiple autonomous systems.

Types of Vulnerabilities Exploited in BGP Attacks

There are specific BGP weaknesses in the border gateway routing protocol that can lead to routing disruptions that occur accidentally or with malicious intent.

• Route hijacking. In this scenario, a threat actor camouflages their activity behind an AS and uses that AS to announce a bogus BGP route change. The announcement appears to be legitimate because it offers a more specific route or shorter route that seems to be a better choice. In reality, the traffic is being redirected to an attacker’s system or fake website for malicious purposes. In effect, the BGP route is “hijacked” and communication is misdirected until someone notices and corrects the error.
• Route leaks. In this scenario, an AS forwards an incorrect BGP route change announcement it received from one peer AS to another peer AS. As a result, traffic is misdirected through the AS that leaked the erroneous route change. This situation is typically accidental but can still lead to disruptions.

Common Types and Methods of BGP Attacks

Regardless of the vulnerability the attacker exploits to manipulate Internet routing, border gateway protocol attacks can take on various forms to accomplish a mission. One of the primary goals is to launch DDoS attacks. However, attackers also compromise BGP routers to conduct sniffing, route traffic to endpoints in malicious networks, create route instabilities, and for cyber espionage purposes. The impact can range from severe technical and business consequences for organizations to more minor network performance disruptions.

Distributed Denial of Service

In a BGP DDoS attack, an attacker can blackhole portions of the Internet either by killing valid routes by sending forged packets, or by creating false routes, as in the case of a well-publicized disruption to YouTube in 2008. In an attempt to censor YouTube in Pakistan, a government-owned Pakistan telco updated its BGP routes for the website. Accidentally, the new route was broadcast to the entire Internet resulting in all traffic intended for YouTube going to the telco. The error overwhelmed the telco with traffic that disrupted service to legitimate customers while also causing an outage for YouTube that lasted for hours.

Sniffing

An attacker can take control of a device along the path of the victim’s communication for purposes of sniffing. They do this by using border gateway protocol to detour traffic through a malicious website where they intercept and examine data packets.

Routing to Endpoints in Malicious Networks

To execute this type of attack, a threat actor starts by redirecting traffic away from a legitimate endpoint and to an endpoint they control. From there they can conduct malicious activities including phishing attacks, ransomware attacks, and compromising credentials. They frequently change the route which makes it hard for anti-phishing tools, other defenses technologies, and law enforcement to detect and stop operations.

Creation of Route Instabilities

While unintentional routing instabilities are a problem across the Internet, this strategy can also be used by adversaries to cause havoc. An attacker can create major service outages by flooding routes with traffic to create routing instabilities.

Revelation of Network Topologies

BGP routers contain routing information that is useful for cybercriminals. While in theory this information is restricted to autonomous systems and kept private, a technically astute adversary can gain access to the information and use it for nefarious purposes.

Detecting BGP Attacks

There are several best practices and technologies that organizations can use to detect BGP attacks in order to mitigate risk and the impact of disruption:

• BGP monitoring to receive alerts when anomalous activity related to BGP routers on your network occurs.
• BGP management techniques, including:
  • Create Route Origin Authorizations (ROAs) for your IP space in the Resource Public Key Infrastructure (RPKI) to allow other networks to identify and filter BGP announcements with an incorrect origin.
  • Maintain accurate information in the Internet Routing Registry (IRR) of your IP space to ensure accuracy of IRR-based router filtering.
• Anti-spoofing protections, including:
  • Deploy RPKI Route Origin Validation (ROV) on border routers to reject BGP announcements that are deemed RPKI-invalid to prevent your egress traffic from being misdirected.
  • Implement IRR-based or RPKI filtering to identify and reject invalid BGP announcements.
• Traffic analysis and anomaly detection to identify unusual or suspicious volume, source, and destination of network traffic as well as the types of packets being sent.
• Network performance monitoring can detect latency issues, failed connections, or timeouts which may be symptoms of BGP hijacking and DDoS activity.

Preventing BGP Attacks

To prevent and defend against BGP attacks, organizations have several techniques at their disposal:

• Remote triggered blackhole (RTBH) routing redirects malicious or unwanted traffic, from a specific source IP address or to a specific destination IP address, into a “black hole” where it is permanently discarded in order to prevent the DDoS attack from saturating internet ports or connections.
• IP prefix filtering to limit IP prefix declarations to certain networks helps prevent accident route hijacking and can keep the AS from accepting bogus IP prefix declarations, but it can be difficult to enforce.
• Secure BGP routing solutions for the Internet as a whole, such as BGPSec are being deployed. But BGPSec has had limited success as it does not protect against route leaks, can require equipment updates to implement, and all parties must implement it in order for it to be effective.
• DDoS protection to mitigate DDoS attacks, including BGP attacks. The most advanced solutions will allow you to maintain uninterrupted service availability even in the midst of a DDoS attack and protect you against follow-on threats including data leakage, ransom attacks, and other threats to your operations.

Summary of BGP Attack Risks

Were it not for BGP there would be no way to route traffic efficiently between IP addresses. However, as important as BGP is for global network connectivity, it has weaknesses which make it an attractive target for threat actors. Additionally, efforts to develop secure BPG routing solutions such as BGPSec have several limitations that have prevented adoption and continue to leave BGP open to attacks.

Threat actors leverage BGP vulnerabilities, including BGP hijacking and BGP leaks, for a variety of purposes. One of the primary goals is to launch BGP DDoS attacks. However, attackers also compromise BGP routers to conduct sniffing, route traffic to endpoints in malicious networks, create route instabilities, and for cyber espionage purposes. Organizations that are victims of a BGP attack can suffer serious technical and business consequences including service, website, and email disruption and, ultimately, financial loss and reputational damage.

There are best practices and technologies you can use to detect and prevent the risk of BGP attacks, including BGP monitoring and management techniques, anti-spoofing protections, traffic analysis and anomaly detection, network performance monitoring, remote triggered blackhole routing, and using an advanced DDoS protection solution.

DDoS protection coupled with intelligence to stay ahead of emerging threats, provides uninterrupted service availability even in the midst of a BGP DDoS attack and can also protect you from the follow-on malicious activity that can threaten your operations. Visit our threat intelligence research center for more information on DDoS defense in depth.