Border Gateway Protocol (BGP), the protocol that connects different networks together, was not designed with security in mind. It is easy to take down portions of the Internet by announcing illegitimate routes to those parts (referred to as route hijacking). A classic example of this attack is a widely popularized incident a few years ago by a Pakistani service provider. The Pakistan government wanted to block YouTube internally. The service providers there injected a BGP route for YouTube and directed YouTube traffic to nowhere. This route somehow leaked outside of Pakistan, and was carried by many service providers across the Internet. This resulted, in effect, in YouTube’s removal from the Internet.
These incidents, many not as high-profile as the YouTube incident, are routine and go back as far as I can remember. The first incident I am aware of is a dial-up Internet provider in Florida taking down the MIT network in the pre-1994, non-commercial era Internet. Early on, these incidents were results of honest configuration mistakes or fat fingering of wrong BGP configuration knobs.
As we all know, the days of Internet innocence are over, and BGP is now under constant – and more importantly – malicious attack. Spammers have long announced unallocated BGP routes before sending their spam and then withdraw them in order to escape detection. For example, by order of the Turkish government, Turkish service providers hijacked Google’s DNS servers in order to block social media sites.
Lately, we are seeing a new kind of BGP route hijack attack: a man-in-the-middle attack. This attack creates an opportunity for sensitive traffic to be sniffed out before being forwarded to its final destination. Back in early 2000, 15% of the Internet traffic was diverted to China before being sent to its final destination. Just last year, all traffic between Europe and North America was rerouted through a service provider in Iceland; probably carefully crafted so that performance degradation due to additional delay was unnoticeable.
These attacks are easy to do if you have access to BGP routers. For example, Packet Design has such routers and has two BGP upstream service providers that we pay for transit. Both of these service providers pass full Internet routing tables to our routers and accept our BGP announcements (all legitimate prefixes registered as part of our autonomous system AS22526). However, we could easily pass a route we learned from one of our providers to the other provider. If we could make this route more preferred by our second provider, then the traffic from that provider would flow through Packet Design, then to our first provider, then to its ultimate destination. We would become the man-in-the-middle. Making this route more preferred is not too hard either. Many service providers prefer routes from their customers to routes from their peers anyway, or by announcing more specific routes, or with shortest AS paths, etc.
What is worrisome is that malicious attacks are becoming more widespread. The graph below (courtesy of Andrei Robachevsky of the Internet Society) shows malicious BGP incidents in yellow, orange and red. They develop this graph by monitoring anomalous-looking BGP announcements and contacting the victim (and the source when possible) to verify whether the incident was accidental, or malicious. There are a few malicious attacks every month.
In my next post, I’ll discuss efforts to fix this BGP vulnerability and how software defined networking can help spur adoption of these efforts.