Dragon News

Dragon News

An inside look at the world of Team Cymru. Cybersecurity tools, tips, news and views.




Dragon News

BGP Route Hijacking – An Overview


BGP is the mechanism by which autonomous networks exchange “reachability” information between each other. A network with an assigned or allocated prefix of addresses “advertises” the block of addresses to a neighboring BGP speaking router, this is known as BGP peering. There is little hiding what BGP peering   networks announce between each other. When two networks are reasonably small, and their assigned prefixes are limited and well known, enforcement of announcements (or at least observation of changes) can be managed by a capable peer.

A BGP route hijack typically occurs when one network falsely advertises reachability for a set of addresses. While not specific to BGP, a similar form of network hijacking can occur when a network forwards traffic it receives for a set prefixes through, or to a path, either end of the original communicating ends doesn’t expect (and likely wouldn’t approve of).

Problems like this arise with scale, combined with widely different operating practices amongst the world’s BGP-speaking networks. As network interconnection increases, whereby a path packets travel must traverse multiple interconnected BGP-speaking networks, enforcement of route announcements and definitive knowledge about what each network is doing is beyond your control. This is an age-old problem unspecific to technology even.

So how to solve this problem? You don’t. You can only minimize it and be as well prepared as you can be to mitigate it when you may discover it is occurring – if you can even known it is occurring. Now, there are some best practices and there is a great deal of work currently being done to help address these problems, but they   are either incomplete or so far out of reach for widespread deployment as to be practically little help today.

Having said all that, we do have a few free tools that can help:

Templates for BGP configuration

BGP Monitoring

Bogons via BGP

These among many other tools are a part of our free community services.

It may be useful to ask yourself, why are route hijacks not a regular, recurring   widespread problem? Part of the reason is that route hijacks are often eventually detected and widely publicized in the network community, often serving as a self-enforcing mechanism to network operators everywhere. Another reason is simply that BGP routing functionality is not available to just anyone on the Internet.   Notwithstanding cracked routers, those with the means to conduct BGP route hijacks is limited to a relatively small number of individuals, most of whom are fine, trustworthy and capable people.

Photo credit, “Flight tracking interface from the Net”  by Daniel Rehn used under Creative Commons license 2.0