By Deepak Gupta
Border Gateway Protocol (BGP) Hijacking is one of the many famous attacks hackers deploy to interfere with content delivery networks (CDNs). Hackers may also be capable of interfering with cloud hosting providers. Recently, almost all major cloud service providers like Google, Amazon, and GoDaddy have become victims of BGP Hijacking.
How Does a BGP Function?
Before getting into the depth of how BGP hijacking occurs, it is important to delve into BGP. BGP is essentially a routing protocol that can connect several networks. This congregation of networks is known as an Autonomous System (AS). A routing protocol is used to transfer information or data packets across several networks.
Typically, an AS consists of ISP providers, large tech enterprises, or in some cases, networks that belong to governments. Every AS receives a unique number responsible for controlling a specific set of IP ranges or spaces known as prefixes. Every AS displays the list of IP addresses they control and possible pathways to neighboring routers or Peers during data packet routing.
The information regarding the peers and the IPs in control are stored in routing tables and frequently change when new networks and shorter pathways appear.
The Anatomy of a BGP Hijacking
The primary consequence of BGP hijacking is that hackers can reroute information traveling through a network to different locations. They can do so using the following steps:
The first step is to send out an announcement of new BGP routes. This announcement will only be believable if it is announced by a legitimate AS. The bad actor will use a compromised AS to do so. The route announcement usually involves releasing a table of all the available prefixes or IP ranges. If all goes well, they will announce new BGP routes to their global network peers.
The IP addresses chosen for display are more specific in comparison to legitimate IP addresses. In most cases, hackers employ unused prefixes, or IP ranges present on real and legitimate AS networks. This can help to improve the chances of concealing the hackers’ identity drastically.
The information pathway is only intercepted if the hackers can prove that the new route is shorter. The more efficient they show their network to be, the more information will be intercepted.
Crafting the Right Response Plan
BGP hijacking is one of the more prevalent cyberattacks currently. In fact, in April 2018, attackers infiltrated Amazon Route 53. They then went on to reroute 1,300 addresses hoping to steal cryptocurrency. The hackers were able to avoid suspicion by acting as a cryptocurrency website known as MyEtherWallet.com. They subsequently stole around $150,000 in cryptocurrency from end-users. Therefore, companies, both big and small, require a response plan to incapacitate the attacker.
A typical incident response attack after a BGP hijacking takes place can be far from easy. This is because of how hackers can conceal themselves. However, in most cases, companies carry out a three-step incident response plan.
These steps include detection, containment, and eradication. Of these, the containment step is especially challenging, given that route announcements can take place rapidly.
Preventing BGP Hijacking
To prevent this cyberattack, companies will have to either rely on the measures put forward by their ISP or implement their security measures. The latter has to take place if the company owns the AS network.
Companies that depend on the security measures put forward by their ISPs will have to constantly contact the providers to ensure that the vulnerabilities within the network are eradicated.
In the second case, an organization should consider carrying out the following steps:
- Create a peering policy that can help peers to determine the legitimacy of the IP addresses. A company has a choice between an open peering policy and a selective one depending on its needs from its network.
- MANRS (Mutually Agreed Norms for Routing Security) is a collection of best practices organizations can utilize to protect their networks from BGP hijacking. Therefore, it is important to incorporate this in the security measures.
- Restrict the number of prefixes or IP ranges displayed by an AS network to limit the number of announcements being made.
- Implement authentication checkpoints through which an operator has to go through before accepting an announcement.
In addition to this, organizations also turn to route filtering, real-time BGP update checks and more to ensure that hackers cannot hijack the network. However, an automated response tool is the most impressive and accurate security measure that an organization can invest in. This tool will work as both a detector and mitigation tool to help prevent hijacking.
Although there has been a rise in cases of BGP hijacking in the past few years, organizations today are more equipped to handle it with the drastic enhancement of security options.