Brian Jackson - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How can BGP hijacking be detected and prevented?

What is BGP hijacking or IP hijacking and how do cybercriminals pull off the attacks? Expert Michael Cobb explains how enterprises can mitigate these risks.

I read that through Border Gateway Protocol hijacking, an attacker can issue himself a legitimate TLS certificate...

from a legitimate certificate authority. How can BGP hijacking be prevented, and is there any way for enterprises to detect this threat?

Every device connected to the Internet is assigned a unique Internet Protocol address, which is used to identify it and provide an address location. When two devices communicate with each other over the internet, their data packets are passed from one router to another until they are delivered to the destination IP address. Routers use routing tables to determine where to send these data packets next, and the Border Gateway Protocol (BGP) is the de facto protocol used to exchange routing information between autonomous systems (AS) -- individual IP addresses are grouped together into prefixes and a collection of IP prefixes operated by the same entity is referred to as an AS. Sprint, Verizon and AT&T, for example, are all ASes, each with their own unique autonomous system number assigned by the Internet Assigned Numbers Authority.

Other protocols such as TCP and UDP are used to transfer data, but it's BGP that keeps routing tables up to date and determines the path along which data travels from its source to its destination. BGP hijacking, also referred to as IP hijacking, prefix hijacking or route hijacking, is when incorrect routing information sends internet traffic to the wrong destination. BGP hijacking is possible because routing announcements are accepted almost without any validation, and it can happen deliberately or by accident -- an accidental IP hijack is sometimes referred to as an IP leak. There are a few thousand prefixes leaked on the internet at any one time as a result of human error, such as a border router misconfiguration leading to unexpected routing paths. A recent incident detected by BGPmon affected thousands of networks in India.

Malicious internet-level BGP hijacking isn't usually considered a significant risk as it's difficult to execute, but cybercriminals and governments have pulled off BGP hijacking attacks. An attacker, possibly a malicious AS operator, would need to configure an edge router to announce prefixes that have not been assigned to it. By broadcasting false prefix announcements, the compromised router may poison other routers and thus propagate the malicious routing information to other ASes across the Internet. This enables the attacker to effectively steal the prefixes and intercept traffic to inspect, alter or simply blackhole it. BGP hijacking can also be used as a denial-of-service weapon or for spamming.

The reason these attacks are difficult to prevent is because the BGP protocol doesn't have the ability to verify the accuracy of routing information. Enterprises can't mitigate these attacks on their own as it requires the collective cooperation of the entire Internet. ISPs, for example, should all filter BGP prefix announcements before transferring them to the others to ensure they contain only valid IP spaces, but many don't. Constantly analyzing AS paths is not easy to do efficiently or effectively, so enterprises should look at using monitoring services such as BGPMon by OpenDNS or Radar by Qrator and Dyn, which can notify network administrators of unusual changes to the routing of their prefixes.

To resolve the underlying problem of BGP -- implicit trust among ASes -- the Internet Engineering Task Force is working on BGPsec (Border Gateway Protocol Security), an extension to BGP that provides improved security for BGP routing. To address the lack of validation of BGP routing data, a specialized public key infrastructure framework called resource public key infrastructure (RPKI) will provide a way to cryptographically bind ASes and IP addresses, while Route Origination Authorization will allow owners of IP addresses to authorize only designated ASes to broadcasting prefix announcements for their addresses. This will enable routers to validate whether a received route actually originated from an AS authorized to do so. RPKI is still a draft and not widely deployed yet, but once it is, IP hijacking will become a lot easier to detect and mitigate.

Ask the Expert:

Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Read more about using BGP in a large network design

Find out if client puzzles will improve TLS protocol

Learn about new TLS solutions to certificate authority vulnerabilities

This was last published in April 2016

Dig Deeper on PKI and digital certificates