BGP Hijacking: current state and future developments

The BGP hijacking is the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables.

Autonomous Systems

On the Internet any host, identified by its unique IP address, can talk to any other, anywhere in the world: this is achieved by passing data from one router to another, moving each packet closer to its destination, until it is safely delivered.

To do this, each router must be regularly supplied with up-to-date routing tables.

Individual IP addresses are grouped together into prefixes that are owned by an Autonomous System (AS): an Autonomous System is a group of networks that operate under a single external routing policy (for example, Sprint, Verizon, and AT&T each are an AS).

The routing tables between Autonomous Systems are maintained using the Border Gateway Protocol (BGP).

Border Gateway Protocol

Border Gateway Protocol (BGP) is designed to act as a routing protocol that passing routing information about the structure of the network to other BGP routers, informing them which networks are found behind the BGP router.

A BGP router announces the routes that it learned and can also retransmit routes learned from the IGPs found on their networks:

BGP’s purpose is not only to exchange its information, but also to exchange network reachability and availability information for the Autonomous Systems paths with other BGP systems on the network.

This process allows all systems to construct topology graphs of the entire network infrastructure on both sides of the BGP link.

BGP Hijacking

Since BGP determines how data travels from its source to its destination, its manipulating can reroute data in an attacker’s favor, allowing him to intercept or modify traffic.

So, BGP hijacking is performed by configuring an edge router to announce prefixes that have not been assigned to it.

If the malicious announcement is more specific than the legitimate one, or claims to offer a shorter path, the traffic may be directed to the attacker.

By broadcasting false prefix announcements, the compromised router may poison the Routing Information Base (RIB) of its peers: after poisoning one peer, the malicious routing information could propagate to other peers, to other Autonomous Systems, and onto the entire Internet.

Some case studies

Multiple instances of BGP hijacking have been recorded in the last years.

Dyn Research has documented several examples of BGP hijacking performed in 2013 to reroute data through arbitrary countries prior to the intended destination.

In one of this cases (likely explained as corporate or state espionage) the traffic, intended to go from Mexico to the United States, was diverted to Belarus before reaching its destination.

Using false BGP broadcasts, the Belarusian ISP successfully propagated illegitimate routes onto the Internet:

In February 2013, we observed a sequence of events, lasting from just a few minutes to several hours in duration, in which global traffic was redirected to Belarusian ISP GlobalOneBel. 
These redirections took place on an almost daily basis throughout February, with the set of victim networks changing daily. 
Victims whose traffic was diverted varied by day, and included major financial institutions, governments, and network service providers.
 Affected countries included the US, South Korea, Germany, the Czech Republic, Lithuania, Libya, and Iran.

We recorded a significant number of live traces to these hijacked networks while the attack was underway, showing traffic detouring to Belarus before continuing to its originally intended destination.

SecureWorks has analized a 2014 attack where BGP hijacking was used to intercept Bitcoin miners’ connections to a mining pool server, stealing $83,000 in cryptocurrency from the victim’s mining over a two-month period:

1. Miners continuously connect to a legitimate pool for tasks.

2. The hijacker begins an attack.

3. When miners attempt to connect to the legitimate pool, a new BGP route directs their traffic to a pool maintained by the hijacker.

4. This malicious pool sends each rerouted miner a client.reconnect command, instructing them to connect to a second pool maintained by the hijacker. By convincing the miners to connect to this second malicious pool rather than the original malicious pool, the hijacker filters out traffic that has already been hijacked so it is not hijacked again.

5. The hijacker ceases the attack. Miners that were redirected to the hijackers pool continue to see tasks and perform work, but are not compensated. Miners who were not redirected remain unaffected.

6. The hijacker repeats the process in short bursts, allowing the activity to continue unimpeded for months.

In July 2015, the well known Hacking Team breach resulted in a leak of internal emails that revealed that, in 2013, the Italian government worked with Hacking Team and an Italian ISP to conduct BGP hijacking, the first documented case of a european government that has used this tecnique.

Due a block of an IP, an Hacking Team command and control (C&C) server went offline, and the malware communications with the C&C were interrupted.

By fraudulently announcing the IP prefix hosting the C&C, Hacking Team has reestablished access with the infected machines:

The Raggruppamento Operativo Speciale or ROS is the Special Operations Group of the Italian National Military police. 
The group focuses on investigating organized crime and terrorism.Hacking Team sells its RAT software known as Remote Control System (RCS) to law enforcement and intelligence agencies, ROS included.

ROS infected and installed the RCS client on the machines of persons of interest (referred to in the emails as targets). 
These Remote Access Tools can provide ROS with all kinds of information and typically provide the tool’s operator with full access over a victim’s machine.

The RCS clients normally need to check in with a server, which is a machine the clients can get their commands (orders) from and then upload stored data, recorded communications, logged keystrokes, etc., to. 
The Wikileaks emails uncovered how after ROS abruptly lost access to one of its RCS servers and worked together with Hacking Team to recover the loss.

And the future?

Currently, BGP hijacking is difficult to prevent, largely due to the design of BGP itself: in effects the protocol does not support the ability to verify the accuracy of routing information.

Perhaps the most promising improvement to BGP could be BGPsec, an extension to BGP that introduces several new protections, realized by the Internet Engineering Task Force.

A significant improvement to the protocol’s security could be the Resource Public Key Infrastructure (RPKI), which will provide a way to associate every Autonomous Systems with cryptographic certificates to maintain integrity.

Each AS will maintain a digitally signed Route Origination Authorization (ROA) that lists IP prefixes and which AS are permitted to announce them.