Why BGP Hijacking is Still a Threat
When the Internet goes down, rendering everything inaccessible from mission-critical business services to mental stability-critical meme generators, is it because of an accident or malicious hackers? In the case of BGP hijacking, it could be either—and sometimes both.
Consider the BGP hijacking incident on April Fool’s Day last year, which caused massive Internet service disruptions just as the world was beginning to grapple with the consequences of the COVID-19 pandemic. Internet traffic that was supposed to flow through more than 200 of the largest cloud-based Web providers and content delivery networks was redirected through Russia’s state-owned telecommunications provider, Rostelecom. More than 8,800 Internet traffic routes were affected for nearly two hours, slowing—and in many cases halting—traffic to, from, and through Amazon, Google, Facebook, Akamai, Digital Ocean, Cloudflare, Heztner, and others.
“They kept doing it for two hours,” says Aftab Siddiqui, senior manager of Internet technology at the Internet Society. “We don’t know what they achieved, but we do know that for those two hours you couldn’t access those services.”
While that incident was noticeable for its scale and impact, it’s far from the only time that BGP hijacking affected Internet service in 2020. It’s so common that Siddiqui’s Internet Society colleagues estimate that 2,477 BGP hijacking incidents occurred last year, nearly seven per day. Most, he says, are short-lived, but some go on for hours. When done intentionally, it can be used for large-scale surveillance, denial-of-service attacks, and espionage.
“And even if 10 percent were intentional, that’s a lot,” he warns. The challenge in stopping BGP hijacking is that it exploits a design flaw in how the Internet is constructed, and to stop it will take the vast majority of the world’s Internet service providers to change how they operate.
What is BGP hijacking?
BGP hijacking is when the Border Gateway Protocol—which builds the routing tables that form the critical data backbone of the Internet—fails because the path the data should have taken was changed with intentionally inaccurate information. The end result can be websites and apps not loading properly, or at all.
BGP was originally invented in the 1980s and fully implemented by 1994 to transfer data automatically between Internet service providers. At its simplest, BGP hijacking is when the routers guiding that data are misconfigured. The hijacking refers not only to an entity taking over control of the data routing, but also to interference forcing the data to be routed incorrectly.
The unique entities in the routing tables that define correct BGP routing are known as autonomous systems (AS), which announce the routes that other ASes should rely on to reach Internet service providers in different geographic regions. Generally, BGP defaults to the shortest routes possible, but humans and computers can interfere with ASes—intentionally, for business reasons, accidentally, or with malicious intent.
If the data route has been interfered with maliciously, it’s trivial for a hacker to spy on the data if it hasn’t been encrypted. If the routing is ultimately allowed to complete its journey, the recipient of the data might not even notice.
What’s most disturbing about BGP hijacking is that while it can be done accidentally, it can also be used as a digital weapon by nation-states or groups affiliated with them. Although BGP hijacking was a notorious problem in the 2000s, high-profile, malicious BGP hijackings still happen to this day. These include an incident spanning 2017 and 2018 that netted hackers $29 million; the re-routing of MyEtherWallet traffic to snag $160,000 in 2018; Google, Facebook, Twitch, and Apple traffic spending an hour being re-routed through an obscure Russian network; and most recently, a group of federal government agencies recommended that the FCC revoke China Telecom’s ability to provide international service to and from the U.S. because of misrouting U.S. Internet traffic.
The good news is that Siddiqui’s colleagues at the Internet Society and others have created a way to permanently fix BGP routing and make it more secure. Known as MANRS , the Mutually Agreed Norms for Routing Security have invented new guardrails to keep Internet traffic flowing to its intended destinations. One of the most important solutions that MANRS is promoting is Routing Public KeyInfrastructure, a public database of cryptographically authenticated BGP routes. Siddiqui, who is the project lead at MANRS, counts approximately one-quarter to one-third of the Internet service providers worldwide as RPKI adoptees.
How to minimize BGP hijacking today
The bad news is that each Internet service provider must implement RPKI on its own, a task that comes with a labor and maintenance cost. Although the BGP hijacking incidents in 2020 encouraged Cloudflare to launch a “Is BGP safe yet?” service that lets Internet users know if their ISP has upgraded its BGP security, and Google plans to redouble its efforts as a MANRS partner to fix BGP faster, experts say that we are years away from universal RPKI adoption.
While widespread RPKI implementation is the gold standard that Internet architecture and security experts are gunning for, they say that there are important improvements that can be made today for relatively low effort. Part of the problem in encouraging its adoption, says Melchior Aelmans, an Internet routing expert and consulting engineer at Juniper Networks, is that RPKI contradicts current Internet routing business models.
“Currently, the primary goal for service providers is to have as many routes as possible, which gives you better connectivity. The more routes you have, the easier it is for your customers to reach destinations on the Internet. The problem with RPKI origin validation is that you filter routes out of the routing table, which goes against having as many routes as possible,” he says.
“As soon as you enable RPKI origin validation, you lose about 5000-ish routes from the global routing table. That’s very scary if your business is based on selling the best connectivity there is. What definitely helps in conversations in deploying RPKI with Tier 1 providers and cloud providers, is that they receive only five to ten complaints in the first year of not being able to reach a destination—and those can usually be resolved within a day or two.”
While there are some initial financial costs to upgrading to RPKI, including the possibility of upgrading to routing hardware that supports it and potential new hires to help implement and manage the upgrade, the major investment is cultural, says Flavio Luciani, chief technology officer at Italian Internet exchange point NameX. While approximately 60 percent of the Tier 1 service providers around the world have implemented RPKI, only about one-third of all ISPs and cloud providers have.
“Trying to facilitate RPKI at the small ISPs is very hard. I offer it to them for free, I offer support for free, I offer free workshops. So far, I’ve convinced 20, maybe 25 wireless providers to join the initiative.
There are ways to secure BGP routes from hijacking that take less cajoling but are less effective. One of these initiatives is an effort, also spearheaded by MANRS, to make route filtering more consistent through the publicly-used Internet Routing Registries already in use. Getting ISPs and cloud providers to focus on prioritizing well-known, validated routes will help reduce the impact of the kinds of large-scale shutdowns we saw last spring, says Aelmans.
“Internet Routing Registry filtering is the precursor to Routing Public Key Infrastructure. It’s less verifiable, but still pretty reliable. If you can’t deploy RPKI, at least use Internet Routing Registry filtering,” he says.
Aelmans recommends that in lieu of RPKI, and in addition to Internet Routing Registry filtering, service providers make at least three additional changes to help better secure themselves against BGP hijacking.
-“Sign your prefixes with ROAs.” Route Origin Authorizations manage all the public IP space. They can be downloaded by validator software and used to create a list of prefixes.
-“Upstream your aggregates.” Use egress filtering, he says, to control the prefixes that are sent to the AS network peers and the Internet. That way, the only prefixes exported are the ones explicitly permitted by the policy.
-“Don’t forget to filter your ingresses.” Ingress filtering should be synchronized with egress policy, including on the services’ own RC19 space.
Without addressing these vulnerabilities, either through RPKI or stopgap measures, BGP hijacking will be able to continue unabated. Nation-state hackers have learned how to exploit this fragile technology that the Internet depends on for espionage, interference, and destruction. Unless Internet service providers take important measures to secure their BGP routing, BGP hijacking will remain a potent tool for government-aligned hackers, says Aelmans.
“BGP was only meant to connect a couple of networks, so there was no reason for any security mechanism. When you look at the way the Internet has scaled, there’s now no way to know everything that everyone is announcing on the Internet. But we rely on BGP, so we have to use these bandages,” he says.