Q
Manage Learn to apply best practices and optimize your operations.

Can BGP anycast addressing be used for DDoS attacks?

The BGP anycast addressing technique could potentially be used for malicious purposes. Expert Judith Myerson explains how this might work and what types of attacks to look out for.

What is BGP anycast? Can it be used like BGP hijacking for malicious purposes, such as distributed denial-of-service...

attacks?

Anycast addressing uses a one-to-nearest association. Packets are routed from a single sender to the nearest node in a group of receiving nodes. To implement this addressing method, you need Border Gateway Protocol (BGP).

BGP anycast announces the destination IP address range for receiving nodes. All receiving nodes have the same destination address, and packets are sent to the nearest member.

It's common for large organizations to connect to two or more internet service providers (ISPs). The ISPs, in turn, connect to other network providers. In both instances, the network administrators need to ensure the BGP anycast has been configured properly. Proper BGP anycast configuration enables an operator, such as a certified network administrator, to use an intermediate router to hijack any packets to the nearest nodes. The main purpose of this legitimate hijacking is to improve traffic flows.

Improper configuration opens the network to hackers who can exploit BGP hijacks for malicious purposes, like distributed denial-of-service (DDoS) attacks. For example, a hacker can set up a rogue network host to advertise itself as an anycast server for a virtual network to block service. Blocking service is achieved by launching DDoS attacks to the nearest nodes. This could be done by redirecting a large amount of malicious traffic to the destination IP addresses. The hacker then has no control over which node is the nearest node.

To gain some control over the nodes in the receiving group, the hacker could choose to ping an anycast address to get the unicast address of the closest node, at least on IPv6. The hacker can then attack individual nodes, bypassing BGP anycast addressing methods.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Find out how to ensure your IP routing is secure despite holes in BGP security

Check out this introduction to BGP

Learn more about BGP's rise to prominence in software-defined networks

This was last published in May 2017

Dig Deeper on DDoS attack detection and prevention

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What has been your experience with BGP anycasting?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close