What is BGP (Border Gateway Protocol) hijacking?

Border Gateway Protocol Hijacking

Border Gateway Protocol hijacking, or BGP hijacking for short, is an unlawful modification of routing entries in routers that run the Border Gateway Protocol. Such injection attacks have the potential to render the Internet or its parts non-functional.

This is a mouthful and a terrifying definition. Let’s unpack it.

What is Border Gateway Protocol

Internet is a network of (smaller) networks. These “smaller” networks—which can still span millions of nodes—are called Autonomous Systems, or AS, and are in essence sets of routers that are managed by a single administrative entity. Typical examples of autonomous systems include Internet Service Providers (ISPs), large companies, universities and similar.

However, any large network does not automatically become an autonomous system, it needs to obtain such status explicitly by obtaining an Autonomous System Number, or ASN, from the Internet Assigned Numbers Authority, or IANA. There are many such autonomous systems today: their number exceeded 100,000 in March 2021.

So Border Gateway Protocol is a protocol that is used to route traffic between autonomous systems. While routing within each autonomous system depends only on the policy of that particular system, the routing between autonomous systems is always done with Border Gateway Protocol. The protocol is run by routers that reside on the borders of autonomous systems and represent their exit and entry points; gateways so to speak.

How does the BGP work

When a user in one autonomous system visits a web site from a different autonomous system, the traffic is first routed within the first system to the border router using the routing protocol of the first autonomous system, then from the border router of the first system to the border router of the second autonomous system using BGP, and finally within the second system to the destination website using the routing protocol of the second system.

In this case we assumed the autonomous systems are direct neighbors, but they need not be: there may be several autonomous systems in between communicating computers. Having such a dedicated routing on the global level actually enables the Internet to work: routing becomes efficient and fast while the routing table sizes remain manageable.

For the routing to work, BGP routers need to know which IP addresses belong to which autonomous systems. This information is exchanged in permanent connections between neighboring autonomous systems, so-called peering sessions, where each system publishes its reachability and routing information; an important part of those are IP address ranges that originate in, or belong to an autonomous system. The ranges are represented as an IP prefix, for instance 1.1.0.0/16 represents valid IP addresses from 1.1.0.0 to 1.1.255.255. This information is then further propagated to other autonomous systems of the Internet in a path-vector routing manner.

What is BGP hijacking then?

A BGP hijacking occurs when someone takes over a border router and announces invalid routing information that disrupts the functioning of the network. In general, an autonomous system is said to publish an invalid routing announcement when it declares:

1. To originate a group of IP addresses (represented as an IP prefix) that in fact do not belong to a given autonomous system;
2. Or similarly, to originate a more narrow group of IP addresses (represented as more specific IP prefix) than what was announced by the autonomous system that actually originates it. In BGP, a more specific IP prefix results into higher routing priority;
3. To route traffic to certain destinations through a shorter route when such route actually does not exist.

In all cases, the networking is disrupted since packets end up in the wrong part of the network. At that stage, the packets can get monitored, modified, discarded, or put in an endless routing loop.

Since the announcement must come from an operator of an autonomous system like an ISP, a large company or a university, not just anyone is capable of launching a BGP hijacking attack. However, since nowdays there are over 100,000 autonomous systems, it is reasonable to expect that some might get compromised. Moreover, it has even happened that a legitimate autonomous system announced a faulty routing information by accident.

BGP hijacking examples

There has been quite a few BGP hijackings in recent years. Here are some of the most known-ones.

• In 2004, a Turkish ISP sent an announcement by mistake claiming to be the best destination (shortest path) for all Internet traffic. Once this information spread to other autonomous systems, the entire world began to route traffic to the said ISP. A considerable world-wide Internet disruption occurred that took an entire day to fix.
• Similarly unintentional was a BGP route announcement from a Pakistani ISP in 2008 that tried to block its users from Youtube. The idea was to block traffic originating from Pakistan to Youtube (by rerouting it to /dev/null), but the announcement was mistakenly sent to neighboring autonomous systems which propagated it further. Consequently the entire Internet traffic addressed to Youtube was rerouted to said ISP.
• In 2022, attackers compromised servers of a South Korean cryptocurrency platform that was also an autonomous system. Once the router was compromised, an invalid IP prefix was announced. With the malicious routing in place, the attackers obtained a valid SSL certificate that allowed them to impersonate attacked servers and inject browsers of legitimate users with malicious JavaScript. This code then allowed attackers to steal users’ cryptocurrency assets. The attack lasted for two hours and resulted in almost two million USD in cryptocurrency stolen.

Is there any defense against BGP hijackings?

BGP hijackings occur because in BGP peers trust each other to announce correct and honest routes. So if and when an invalid route is announced, the receiving peers accept and process it as any other and Internet traffic gets redirected. At this point we should acknowledge that BGP was created to facilitate the functioning of the Internet. It was not created with security in mind; the times then where different.

Since then, however, security solutions have been developed. One of such is the Resource Public Key Infrastructure, or RPKI, that allows peers to validate routing assignments with the help of cryptography. With them, routing peers can only announce routes for which their organization is authorized.

Unfortunately, the RPKI has not yet been put into practice by all autonomous systems, so the Internet is to some degree still vulnerable to BGP hijacking attacks.

Conclusion

A BGP hijacking attack is an attack where router running the Border Gateway Protocol announces information that causes redirection in the Internet traffic. Such attacks may be accidental or deliberate. In either case, a disruption in the Internet traffic may occur.