paint-brush
What is BGP Hijacking and How Do You Prevent It?by@thecloudarchitect
1,211 reads
1,211 reads

What is BGP Hijacking and How Do You Prevent It?

by Michael GibbsJuly 9th, 2022
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

BGP is a path vector routing protocol that is used to connect external organizations to each other. BGP hijacking occurs when someone impersonates a BGP speaker and starts communicating as if he were the normal BGP speakers. Bad routes can be injected without affecting service because they are filtered out. One method for preventing hijacking is using basic MD5 message authentication to authenticate that the users are who they claim to be. This does not provide a ton of protection and it is not the hardest thing to crack, but it is a start.
featured image - What is BGP Hijacking and How Do You Prevent It?
Michael Gibbs HackerNoon profile picture

BGP, which stands for Border Gateway Protocol, is a path-vector routing protocol that is used to connect external organizations to each other. BGP is an exterior gateway protocol that is based upon the Transmission Control Protocol (TCP) port 179.

You may know BGP as the routing protocol of the Internet. The internet is run on BGP. It provides the perfect blend of attributes, features, and functionality for accomplishing the routing that makes the internet possible. Chief among those features is its scalability. It is the most scalable routing protocol in the world. In addition, it is highly tunable with regard to traffic engineering and determining how traffic will move through the network. It provides a degree of filtering that is necessary for keeping traffic on the correct routes.

How does BGP work?

All internet service providers connect to each other through BGP. Organizations that connect to multiple internet service providers or a cloud provider connect via BGP. It facilitates the connection by allowing one BGP speaker to connect and talk to a second BGP speaker.

To better understand how this works, imagine you have one BGP speaker — let's call him Mike – and another BGP speaker — let’s call him Fred – and Fred and Mike, in preparation for connecting with each other, agree to each other's terms. They agree on their system numbers, which identify their systems, and they agree to form a relationship. At this point, Fred and Mike start exchanging information or routes, which is how one organization reaches another organization.

As long as Mike and Fred continue to talk to each other as they should, staying friends and exchanging information based on each other’s terms, life works perfectly. Should Mike learn some new routes, all he needs to do is tell Fred. Then Fred puts them into the routing table and tells the other service providers about it and everyone stays happy.

What is a BGP hijacking?

But what happens if Mike thinks he is talking to Fred, but in reality, he is talking to someone named Darrell who is impersonating Fred? That is what we call BGP hijacking. Similar to a man-in-the-middle attack, BGP hijacking occurs when someone impersonating a BGP speaker takes over the session and starts communicating as if he were the normal BGP speaker. Mike thinks he's talking to Fred, but in reality he is talking to someone else. In a BGP hijacking event, that someone else — the hijacker — causes problems by telling the routers to go to the wrong routes. BGP hijacking is effectively a man-in-the-middle attack on the BGP routing protocol.

When BGP was created, there was not a lot of focus on thwarting hackers. So BGP has some security built into the protocol, but not a lot. BGPsec is a new security protocol that can prevent BGP hijacking, but it hasn’t been widely adopted. Until it is, there are other steps that must be taken to prevent BGP hijacking.

How do you prevent BGP hijacking?

One method for preventing hijacking is using basic MD5 message authentication to authenticate that the users are who they claim to be. This does not provide a ton of protection and it is not the hardest thing to crack, but it is a start.

Remember, the reason we are using BGP in the first place is so Mike can tell Fred the routes that he is using. Because Mike and Fred know ahead of time what routes to expect, they can pass that information to service providers, enabling them to filter out any route other than the ones they are expecting. When this is done, a BGP hijacking event accomplishes nothing. Bad routes can be injected without affecting service because they are filtered out.

BGP hijacking can also be detected through monitoring systems. When a system suddenly begins to experience latency or degraded network throughput or packet loss — any sign that system performance is declining — we need to look at why. We can go to our routers, BGP tables, and logs to look for signs of BGP hijacking.

Overall, BGP hijacking can be thought of as a man-in-the-middle attack that affects two BGP speakers. Until BGPsec can be fully leveraged to make BGP more secure, monitoring system performance and filtering bad routes are the best ways to detect and prevent BGP hijacking.