The Border Gateway Protocol (BGP)
BGP is the default routing protocol implemented by routers in order to communicate with one another, therefore enabling data routing on the Internet. There are mechanisms in place to gather information about what is the most efficient and fastest route for data to travel in order for it to arrive at its correct destination. A simplified overview of BGP routing illustrates that when a choice is made about which route should be taken to deliver information between multiple networks, it considers a vast array of criteria within its complex selection algorithm. Since the structure of the Internet is widely complex, each Autonomous System (AS) is responsible for determining the route of data and ultimately, Internet Service Providers (ISPs) are responsible for these autonomous systems.
The Border Gateway Protocol (BGP) was originally designed with very little consideration of the security and protection of the information in which it carries. This system is overall, based largely on trust, in which enterprises believe that their ISPs are choosing the safest and most efficient path for their data. The challenge however, is that BGP lacks directly implemented security mechanisms and that there an overarching number of service providers that have yet to offer BGP protection and security.
This leads to a problem commonly known as “BGP Hijacking”, in which disruptions can take place and traffic can be rerouted through illegitimate and malicious routes, ending up at unintended destinations. Cloudflare mentioned an incident in their article in which a group of malicious adversaries deliberately created bad BGP routes in order to redirect traffic that was originally meant for Amazon’s DNS service which resulted in over $100,000 of stolen cryptocurrency.
The problem of BGP security is one that has yet to be fully addressed and resolved publicly still to this day. There have been drafts of standards and mutual agreements however, that have strived to shed light on these current issues. Often when we think about a solution to this ongoing problem, we need one that can support secure and private communication between networks and be able to enforce identity assertion and management. In more recent years, the US National Institute of Standards and Technology (NIST) published information regarding a security standard that will help to secure the Border Gateway Protocol (BGP).
In general, the standard outlines the use and implementation of cryptographic methods in order to ensure that data routing travels within only authorized and legitimate paths between autonomous systems and networks. More specifically, the main components of their proposal include what’s known as a Resource Public Key Infrastructure (RPKI) which provides a way for ISPs to validate what networks can announce a direct path to their set of internet addresses. Additionally, their standard would make use of BGP Route Origin Validation (ROV) which helps to determine what may be malicious route announcements, thus lowering potential BGP hijacking incidents.
The Future of BGP Security
The future of BGP is certainly hopeful as there are several proposals and global initiatives such as MANRS (Mutually Agreed Norms for Routing Security) being encouraged and supported by several institutions such as NIST and the Internet Society. These outline critical issues and potential solutions for mitigating these threats to our data. With that said, there are other problems at hand which are currently preventing from fully protecting against these BGP hijacking incidents. In order to help BGP become more secure overall, simultaneous effort and enforcement from various Internet Service Providers are required. Furthermore, a community approach from ISPs to follow correct policies, collaboration and coordination are essential.
The Enterprise Role
Though, this is certainly an aspect that needs to change, there are some things your organization can do to help your enterprise become more secure in the wake of this problem. The first and foremost is to raise awareness and insist your service provider practice proper security with regards to BGP—there are websites that can tell you whether or not they are doing so. IP prefix filtering is also a mechanism that though, is difficult to completely enforce, can help to only accept certain IP prefixes and declaring your enterprise IP prefixes to a whitelist of certain networks, thus preventing from accepting illegitimate routes for your data. Lastly, attempting to detect this malicious hijacking activity may help to mitigate the impact of these threats by determining if you’re experiencing latency or network performance problems and if traffic is being misdirected.
Packetlabs can help
Though this seems like a problem in which there aren’t a whole plethora of solutions for, there are many other mechanisms your company can leverage to enhance security measures and minimize the number of attack vectors against your organizational assets that people often disregard or fail to implement, opening up even more problems and threats. Nevertheless, there are several recommendations of best practices we as a penetration testing team can help to reinforce the confidence you have in your enterprise’s security. If you have any questions, please feel free to contact us today.