Two weeks ago, we learned about yet another routing security incident, namely the hijack of BGP routes to the Amazon DNS infrastructure, used as a stepping stone to steal about $150,000 of Ethereum cryptocurrency from MyEtherWallet.com. We’ve been talking a lot lately about BGP hijacking, digging into the details of what happened in this post. But maybe we need to back up a minute and answer: What in the world is BGP hijacking, anyway, and why does it matter? Here, we’ll explain the basics and how network operators and Internet Exchange Points can join MANRS to help solve the problem.
What is BGP?
BGP, or Border Gateway Protocol, is used to direct traffic across the Internet. Networks use BGP to exchange “reachability information” – networks they know how to get to. Any network that is connected to the Internet eventually relies on BGP to reach other networks.
What is BGP Hijacking?
In short, BGP hijacking is when an attacker disguises itself as another network; it announces network prefixes belonging to another network as if those prefixes are theirs. If this false information is accepted by neighboring networks and propagated further using BGP, it distorts the “roadmap” of the Internet. As a result, traffic is forwarded to the attacker instead of its legitimate destination, causing Denial of Service (DoS) attacks or traffic interception. For example, in the MyEtherWallet attack, traffic went to the attacker instead of to Amazon.
Why Does BGP Hijacking Matter?
BGP hijacking may be the result of a configuration mistake or a malicious act; in either case it is an attack on the common routing system that we all use. In the MyEtherWallet case, the hijacking event caused lost revenue for Ethereum cryptocurrency users. In other cases, BGP hijackings have blocked access to whole countries or derailed Web resources for thousands of people.
Why Does This Happen?
There are more than 60,000 core networks across the Internet. Routers use BGP to exchange reachability information, and each router builds a “routing table” and picks the best route to send a packet of information, typically based on the shortest path. Hopping router to router, the originating network eventually learns it can reach its destination by sending traffic through a set of intermediary networks.
The problem is, BGP was created long before security was a major concern. BGP assumes that all networks are trustworthy. Technically, there are no built-in security mechanisms to validate that routes are legitimate. In addition, networks are scattered across the globe making the chain of trust difficult to trace, and even if you’re trying to validate information, there’s a lack of reliable resource data.
What Do We Do About It?
Network operators have a responsibility to ensure a globally robust and secure routing infrastructure. No operator can secure their own network entirely by themselves. Routing security depends on the actions of other networks, and every network should help secure the global routing system as a whole.
That’s where the Mutually Agreed Norms for Routing Security (MANRS) comes in. MANRS is a community initiative of network operators and Internet Exchange Points (IXPs) that creates a baseline of security expectations for routing security. MANRS calls for simple, but concrete actions that will reduce the most common routing threats, including BGP hijacking.
The first MANRS action is filtering, which prevents the propagation of incorrect routing information. If most network operators and IXPs implement the MANRS actions – including filtering – BGP hijacking events would not propagate across the Internet, and we could avoid outages, traffic inspection, and DoS attacks.
Other MANRS actions include anti-spoofing, global validation, coordination, MANRS promotion, and monitoring and debugging tools.
How Do I Get Started?
- Read about the MANRS actions for network operators and/or the MANRS actions for IXPs.
- Take the six MANRS tutorials to learn about how to implement the actions. This module on filtering is particularly relevant to BGP hijacking.
- Implement the appropriate actions for your network.
- Join the MANRS community of security-minded organizations working to raise the bar on routing security.