What is BGP Hijacking?
A BGP hijack, or route hijack, is when an attacker disguises itself as another network; it announces network prefixes belonging to another network as if those prefixes are theirs. If this false information is accepted by neighboring networks and propagated further using BGP, it distorts the “roadmap” of the Internet. As a result, traffic is forwarded to the attacker instead of its legitimate destination.
This is sometimes due to simple carelessness, but it’s often done to intercept traffic (censorship, for example) and to cause denial-of-service attacks (e.g. shut down a website). By masquerading as another network, it’s possible to route traffic to the attacker’s network while the victim suffers an outage.
Returning to our routing-is-like-online-dating analogy, let’s say Juan is talking to Maria and things are going great. Then, seemingly out of nowhere, Juan can’t talk to Maria. Every time he tries to send her a message, it disappears. It turns out, Chad also likes Maria and has stolen and read all of Juan’s messages to Maria. Maria *might* get the messages eventually, but Chad got to read and/or alter them first.
What is a BGP Leak?
Similar to a hijack is a BGP leak, or route leak. Many organizations connect to more than one network, or upstream provider, to increase reliability or performance, a practice called multihoming. A route leak happens when an organization accidentally announces to one upstream provider that it has a route to a destination through the other upstream provider, regardless of whether this is a desirable path.
This makes the organization’s network an unwitting middleman between the two upstream providers, with traffic being sent through its generally much smaller network. The end result is non-optimal routing, congestion, and potential non-delivery of traffic. While leaks are often inadvertent router misconfigurations that are noticed and fixed quickly, they can be done intentionally to divert traffic through another network to scan it or perform man-in-the-middle attacks (where an attacker secretly relays and alters the communication between a sender and receiver).
Back to Juan and Maria — Juan thinks he and Maria are in an exclusive relationship, but then Maria stops responding. Juan accidentally entered her number wrong and all of his messages were going to Chad instead. Oops.
What is IP address spoofing?
Back in Part 1 of this series, we learned that traffic is sent across the Internet in packets that contain a destination IP address (like a mailing address). Packets also contain a source IP address, which identifies the sender and enables replies from the recipient.
But it’s very easy to create and send an IP packet with a false, or spoofed, IP address to hide the sender’s identity or to impersonate another computing system. It can be difficult for routers to check both destination and source IP addresses, so they often don’t bother and forward them regardless.
This is the main cause of reflection Distributed Denial-of-Service (DDoS) attacks, where multiple DNS queries with spoofed source addresses might be sent from one network, targeting a host on another network to receive so many replies the network shuts down.
Back to our favorite doomed couple … Maria’s been talking to “Juan” online. He tells her everything she wants to hear and seems like the perfect man. And then he scams her. Turns out it was Chad all along, pretending to be Juan.
Most routing incidents fall into one of those three types. And that’s where Mutually Agreed Norms for Routing Security (MANRS) steps in. By setting a routing security baseline for all organizations operating networks on the Internet, we can work together to reduce the most common pitfalls. Tomorrow, in our final post of this series, we will talk about the MANRS Actions and what organizations can do to make the Internet safer for us all.