Interconnectivity is vital for your organization. Customers, suppliers and employees are all brought together from across the globe, united by the Border Gateway Protocol (BGP). But what is BGP? And how is it so vital to online connectivity? Alongside its often-overlooked importance, here’s how uber-stealthy cyber criminals abuse BGP protocols to construct simple yet deadly cybercrime.
What is BGP?
When a customer makes an ecommerce order on their laptop, they might be located in Australia. The company headquarters may be situated in America, with their warehouses scattered throughout Europe. The Border Gateway Protocol acts like the internet’s postal service, defining how the customer’s request travels throughout different networks, in order to efficiently reach the company. BGP processes three vital pieces of data – the name of a resource, the address of its destination, and a route to get there.
The internet is a humongous connection of interconnecting networks. These slightly-smaller networks are named autonomous systems (ASes) – each AS is essentially a large pool of routers, run by the same company. This AS may be an internet service provider, or an organization that controls a range of IP addresses. Each AS has its own unique number, or ASN. Instead of letting data slowly wind its way through the baffling numbers of online networks, BGP determines the fastest path to its final ASN. Originally invented in the 1980s, BGP represented the first way in which data could be automatically and efficiently transferred between different ISPs. Fully implemented by 1994, the internet has been enjoying the global benefits of BGP for decades.
To select the fastest route, BGP first analyzes all the available paths that data could take. The options are provided by ASes, which themselves define the routes that other ASes should rely on to reach destinations in different geographic regions. From these, BGP selects the shortest available – this usually means hopping between a number of ASes. This critical feature – the AS-hopping ability – may allow for streamlined flows of data, but it also means the central function of the internet has a major security flaw.
What is BGP Hijacking?
BGP always prioritizes the shortest, most specific path towards the destined IP address. This fundamental rule allows for attackers to maliciously reroute the traffic flowing through different ASes. This is accomplished in a few different methods, one of which depends on the attackers fraudulently announcing themselves as owners of groups of IP addresses. They do not genuinely own these addresses, but by altering the route announcement, they are able to redirect the data in different ways than the sender and receiver assumed. Once successfully disguising themselves as an AS operator, the attackers can then redirect the traffic freely, offering a shorter route to blocks of IP addresses. This method involves direct compromise of an internet service provider, or other legitimate AS owner, making this attack approach quite rare.
The more common and accessible form of BGP hijack involves a simpler form of fraud. Any participating network can simply ‘lie’, publishing a fake BGP route that claims their network includes ‘Facebook’s servers’. All internet entities simply assume this is legitimate. In this way, fraudulent ASes will suggest a suspiciously more specific route. BGP will always favor a route with a smaller range of IP addresses involved. This is thanks to the fact that it will always naively prioritize the shortest. If this smaller AS is owned by an attacker, then the data will be rerouted to networks that they control. This is at incredible risk of theft.
A BGP hijack is a little like if someone were to switch all the exit and entry signs on a highway: the traffic that’s rerouted may still get to their destination, just in a slightly roundabout (no pun intended) manner.
The Effects of BGP Hijacking
Once a data route has been successfully misdirected to an attacker-controlled AS, it is trivial for the attacker to spy on any unencrypted packets. If such data is also allowed to finish its route, the recipient may not even notice. BGP attacks have plagued companies since the early noughties, but attacks continue to strike.
Thanks to the espionage implications of BGP hijacks, it comes as no surprise that these are regularly politically-motivated. April 5th, 2020 – April Fool’s Day – saw the online traffic of 200 Content Delivery Network (CDN) providers rerouted through networks belonging to the telecoms provider owned by the Russian government. Cloud network providers and CDNs handle the broad majority of today’s online traffic. Not only were consumer tech giants such as Google, Amazon and Facebook included in the hijack, but so were major industrial pillars such as Akamai, Cloudflare and GoDaddy. Russian telecoms weren’t just satisfied in having the West’s internet traffic flowing through their networks, but it also massively disrupted the end-users having their data logged. Over 8,800 traffic routes were affected, almost entirely halting traffic for millions. The attack lasted for two hours, and – thanks to the fact that BGP attacks maintain the security of the recipient’s network – security analysts have no idea what Russia’s doing with this data. One possibility could be storage: the attackers can attempt to analyze and decrypt this data at a later date, once cryptographic power has increased.
Chinese ASes have also recently been accused of large scale BGP attacks. The American branch of China Telecoms has operated within the US for the last 20 years, until the FCC suddenly revoked the branch’s license in October 2021. Though no examples of the branch’s involvement in BGP hijacking were made public, the US regulator stressed the decision was not made lightly. The fact that the Chinese government blatantly controls the ISP was cited, with the shutdown being to raise national security. The risk of accessing, storing and misrouting US communications, the government claimed, was simply too high.
As companies continue to push outward, looking to strengthen their own defenses, it’s important to keep in mind the flaws of the architecture of the internet itself. Encryption may slow the hijacker’s efforts, but the risk remains: it may only delay a data leak.