What is BGP Hijacking?

Services
- Infrastructure
  - iColocation
- Compute
  - cMetal
- Storage
  - sObject
  - sBlock
- Networking
- Protection
  - pBackup
  - pDDoS
Solutions
- Ecommerce
- Security
- Gaming
- Hosting
- Management
- Finance
- System Integrator
Dashboard

Psychz - Mahesh

Votes: 0Posted On: Sep 25, 2019 11:37:37

BGP hijacking often sometimes referred to as route hijacking, prefix hijacking, or IP hijacking is done by illegitimately taking over of groups of IP addresses by corrupting Internet routing tables maintained using the Border Gateway Protocol (BGP). Now before we understand how this is done, we will try to understand what BGP(Border Gateway Protocol) is.

So what is BGP?

Border Gateway Protocol can be used by customers who need the ability to announce IP in different locations, withdraw IP and or prefix at a moments notice. BGP speaking routers exchange routing information through a series of BGP updates. An originating BGP router announces an IP address prefix to its attached neighbors, which in turn propagate the information to other routers until some target router learns about the prefix and a route to reach the destinations in that prefix.

What is BGP prefix Hijacking?

There are no authentic mechanism in BGP protocol to verify routes which leads to a vulnerability issue where any BGP router can announce any prefix as if it owns that prefix or even modify the route associated with a prefix. Most of the network operators configure BGP routers to develop a peering relationship with other Autonomous Systems with the purpose of exchanging routing information. However, they do not have control over who is allowed inside the BGP. Also, the BGP protocol itself does have the necessary mechanisms in place to authenticate prefix ownership (or the path to a specific prefix). A malicious entity may hijack the prefixes of other Autonomous Systems by either compromising a BGP speaking router or by participating in global routing themselves. In some cases, BGP hijacks happen due to misconfigurations.

Now let us understand how BGP Prefix Hacking is done

In a prefix hijacking attack, a BGP speaking router announces a direct route to prefix p that it does not actually own or is authorized to announce. The neighboring BGP speakers either accept this route and replace the current route they have for prefix p or may reject it during the route selection process. To better understand these attacks, consider the example shown in Figure-1. Here, router asn1 is announcing a prefix 27.1/19. The announcement propagates through the network and reaches router asn3, which installs a route for 27.1/19 and sets the next hop to asn2. Now suppose a malicious router asn4 wants to hijack 27.1/19; it simply announces a route for 27.1/19 to its neighbor asn3. Assuming asn3 has not set local policies for 27.1/19, asn3 will select the route for 27.1/19 based on the AS-PATH attribute. In this case, the route for 27.1/19 from asn1 has AS-PATH:, while the route for 27.1/19 from the adversary has AS-PATH:. Since the route from the adversary is shorter, router asn3 will select this route and forward any traffic to the destinations covered by 27.1/19 to router asn4.

Ways to Monitor BGP Hijacking

When the IP prefixes are hijacked, the connection might be redirected and discarded. In such a case, the detection of hijacking is an easy task since the service becomes unavailable. But sometimes during the attack, the data might be intercepted or modified and detection is not so straightforward because the connection is working. BGP hijacking, however, can still be detected since the BGP AS_PATH attribute gets changed. Moreover, network traffic takes the different (not optimal) path which leads to degraded performance and the increased round-trip time (RTT). Providers’ Looking Glass (LG) servers or Route Views are great tools to discover a change in the routing paths.

Traceroute
The traceroute tool prints the route packets take to a destination host. Internally, traceroute sends a series of messages (commonly ICMP) with IP TTL value set to the number of hops it wants to discover. Since the TTL expires upon reaching the target hop, the node at that hop will respond with an error message. This way, traceroute can figure out the path to a destination.

Netstat
The netstat command-line utility can be used to print the IP forwarding table of a host. It can also be used to print several useful information about a host's network activity, including listing active connections for each protocol, packet statistics and so forth. For more information about netstat and its options, check out man page (on any Linux machine): man netstat

Quagga
Quagga is a cross-platform routing software package which supports many routing protocols including RIP, RIPng, OSPFv2, OSPFv3, and BGP. Quagga can be installed on a general-purpose machine to turn it into a software-based router. Moreover, it provides a simple interface to setup static routing on a host. For this lab exercise, we are particularly interested in the BGP routing part of Quagga. Throughout the exercise, we assume Quagga as running on Ubuntu Linux.

Quagga stores its configuration files in /etc/quagga/ directory, and has a separate configuration file for each of the routing protocols it supports. For instance, the BGP routing configuration is stored in /etc/quagga/bgpd.conf. The configuration file /etc/quagga/daemons specifies which of the routing protocol daemons are enabled on the host (set to "yes" to enable a protocol). Quagga also supports a telnet interface to enter configuration commands in real-time. For example, the BGP instance can be configured in real-time by telnetting to localhost and specifying bgpd as the port number (bgpd is an alias to port 2605).

Few basic BGP prefix Hijacking prevention methods

Limit Maximum Prefixes
To avoid flooding BGP advertisements from a customer, we can control how many prefixes can be received from a neighbor. Once the neighbor sends more prefixes than a configured limit, the session will switch from Established to Idle (PfxCt).

Filter Default Route
Unless customers do not need a default route they should block it. Sequence 10 denies a default prefix. All other routes are matched and permitted by sequence 20.

Limit AS_PATH in Announced Prefixes
We can limit the AS_PATH in announced prefixes using BGP AS path filter. The regular expression ^$ in ACL statement matches empty AS_PATH thus it allows only locally announced prefixes being sent to ISP.

Announce Only Owned Prefixes
Now we create a prefix-list on a customer router that permits the announcement of only the assigned prefix 199.1.1.0/24. The list is applied toward the ISP router. All other prefixes are not being sent.