BGP Hijacking is an actual problem that we need to solve


Yesterday i have read a brief but interesting article about BGP Hijacking written by Johannes B. Ullrich, published on SANS ISC InfoSec Forum.

About BGP Hijacking i have already written something about, you can read on https://www.andreafortuna.org/bgp-hijacking-current-state-and-future-developments-d4077c215d12.

Essentially, BGP Hijacking is the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables:

The Internet is a network of networks.

Each “Autonomous system” (AS) connects to the internet using a router that “speaks” the Border Gateway Protocol (BGP) to disseminate and receive routing information.

The problem is that there is no authoritative way to figure out who is supposed to receive which IP address space.

If I got a new IP address range assigned, or if I agree to route it as part of an agreement with another network, then I will use BGP to advertise this to the Internet.

Sadly, nobody has figured out yet how to validate these advertisements. As a result, it is somewhat common for BGP abused to advertise IP addresses that an organization doesn’t actually own. This can lead to a denial of service, or miscreants can start using it for a man-in-the-middle attack.

The article also refers to the recent event of BGP abuse that has allowed the hijack of a large chunks of network traffic belonging to MasterCard, Visa, and more than two dozen other financial services companies that were briefly routed through a Russian government-controlled telecom:

[embed]https://arstechnica.com/security/2017/04/russian-controlled-telecom-hijacks-financial-services-internet-traffic/[/embed]

“Quite suspicious”

“I would classify this as quite suspicious,” Doug Madory, director of Internet analysis at network management firm Dyn, told Ars. “Typically accidental leaks appear more voluminous and indiscriminate. This would appear to be targeted to financial institutions. A typical cause of these errors [is] in some sort of internal traffic engineering, but it would seem strange that someone would limit their traffic engineering to mostly financial networks.”

Ullrich also suggest some mitigations for this kind of attacks:

So in short, what can you do about it?

1 — The internet is an untrusted network. Deal with it. Assume people are rerouting, eavesdropping and manipulating your traffic. Technologies like TLS will help you detect these issues if properly implemented. VPNs can help to secure trusted connections within an organization or between trusted partners. But this is exactly why you have to audit these configurations and make sure they are configured based on current best practices.

2 — Monitor if someone is trying to hijack IP address space you are using.

3 — If you do own IP address space, and if you do manage BGP yourself, then make sure you implement the few security features that are available.


For more information, please refers to original article on SANS Forum:

[embed]https://arstechnica.com/security/2017/04/russian-controlled-telecom-hijacks-financial-services-internet-traffic/[/embed]


More references about BPJ Hijacking

[embed]https://arstechnica.com/security/2017/04/russian-controlled-telecom-hijacks-financial-services-internet-traffic/[/embed]
[embed]https://arstechnica.com/security/2017/04/russian-controlled-telecom-hijacks-financial-services-internet-traffic/[/embed]