If you haven’t noticed, the Internet is a rather big place. This is a good thing because it means that there is plenty of stuff on there for wasting time at work, but it also means that it’s really hard to find exactly what you came looking for. Worse, the path from point A to point B keeps changing as links go up and down and you move from home Wi-Fi to a coffee shop.
As a result, computers don’t even try to store a map of how to reach any other computer on the Internet. Instead, they use a protocol called the Border Gateway Protocol (BGP) to find routes to anywhere that you want to go. This approach has its pros and cons. For one, it works (which is a major pro). However, it can also be abused. Ironically, not all “abuses” are bad. On the one hand, it’s been used for eavesdropping on people’s traffic, but, on the other, BGP hijacking is also a key component in advanced DDoS protection solutions.
Classified Ad: Packet Sender Seeking Recipient
Before getting into the details of how BGP can be abused, let’s start with a brief description of how it works. BGP works a lot like using referrals to find someone with a particular skill set. For example, you may want to meet with a certain person to close a business deal, but you know that you won’t ever get in the door without being introduced by someone that they know and trust. You mention the fact to a friend of yours, who has a friend who knows that person. By going through your friend and their friend, you’re in the door.
BGP works very similarly. When computer A wants to talk to computer B and doesn’t know them personally, they send out a request for a known route to them. Eventually, computer A’s request will reach an Autonomous System (AS), which keeps lists of routes to certain areas of the Internet. That AS will be able to reply telling computer A where to route its packet in order to make sure it reaches computer B.
But how does this AS get the routing information? By talking to other ASs on the Internet. Each AS takes responsibility for a section of the Internet that they know how to route packets efficiently to. Each one advertises the sections that they know, and other ASs will update their personal lists based on these advertisements.
The big issue with BGP is that there is no checking the validity of these advertisements. A malicious (or confused) AP can advertise false routes to other ASs. When a computer wants to send a packet to a certain computer, it uses the shortest, most precise route available with no error checking. This ability to advertise false addresses is what makes BGP hijacking possible.
Go This Way!
With hackers, if a protocol is breakable in a useful way, they’re probably going to try to misuse it. The lack of security and validation in the BGP protocol is very useful to hackers since it allows them to route the traffic of unsuspecting senders and recipients through computers under their control. Depending on the encryption and data authentication protections used, this may allow them to view and modify the traffic and certainly allows them to block it.
One example of abusing BGP to reroute traffic occurred when China rerouted a significant chunk of global Internet traffic through their servers between 2010 and 2017. One example is when, in 2010, Chinese telecom providers used BGP hijacking to route 18% of all Internet traffic through their systems for eighteen minutes. This is believed to be a test of their capabilities, and it certainly wasn’t the last time that it occurred.
The research also shows that China isn’t the only one performing these attacks. In December 2017, traffic from tech giants like Apple, Facebook, Google, and Microsoft took the long way around through Russia before continuing on to its intended destination. These attacks demonstrate the power and potential of BGP hijacking. All unencrypted traffic that is hijacked can be viewed and possibly monitored. Even if traffic is unencrypted, this rerouting could allow high-level data collection about the fact that communications exist between different parties.
The Ends Justify the Means
Not all BGP hijacking “attacks” are bad though. One benign use for BGP highjacking is to ensure that traffic intended for a certain organization passes through cybersecurity protections before continuing on to its destination.
This is extremely useful for providers of advanced DDoS protection systems. By advertising specific routes to the sections of the Internet used by their clients, DDoS protection providers can ensure that all traffic intended for their clients first passes through DDoS monitors and scrubbers. This allows them to efficiently detect and remove attack traffic with little or no impact on their client’s infrastructure, providing world-class protection against DDoS attacks.
BGP Use and Abuse
The Border Gateway Protocol (BGP) is designed to allow computers to find efficient routes for sending traffic across the Internet. However, it was designed without any security protections, meaning that malicious actors can advertise fake routes and redirect hijacked traffic through routes under their control.
This ability to hijack BGP can be used for both good and evil. China and Russia have demonstrated the ability and willingness to reroute traffic through their systems on a large scale (15% of all traffic during a test nine years ago), which is useful to intelligence gathering. However, the flaws in the BGP protocol are also used for good purposes, allowing DDoS protection providers to block attacks with minimal modifications to and impact on their clients’ systems.