How to stop BGP hijacking
Network traffic meant for Visa, Mastercard, Symantec, Verisign, and Internet Solutions was recently hijacked by state-owned Russian operator Rostelecom.
This is not the first time an incident like this has happened, with IS’s ADSL network wiped off the Internet in 2013 when a local operator hijacked its address space.
Such hijacking is often inadvertent and due to human errors in border gateway protocol (BGP) configurations.
Among the steps IS has taken to prevent its network prefix from being hijacked again is using the RIPE database to enforce route exchange policy with its upstream peers.
“We use different tools to proactively monitor for these occurrences and adjust our responses according to the attack vector,” said IS.
How BGP hijacking works
Computer networking expert Simeon Miteff said that BGP hijacking is easy, provided the attacker participates in the BGP routing game.
A hijack can be done by exploiting the standardised BGP route selection algorithm that runs on Internet routers.
“If someone else advertises your route, theirs will win out in all parts of the Internet that is closer to them, in terms of BGP hops,” said Miteff.
A more severe attack is to advertise more specific routes than the victim by subdividing their network prefix, or range of IP addresses.
For example, a prefix like 196.32.0.0/21, which contains 2,048 addresses, could be advertised as two prefixes with 1,024 addresses each, ending in the /22 subnet mask.
This is also how a service provider like IS might mitigate an attack.
First, you must monitor BGP. From there, you can deaggregate your prefixes into the most specific sub-prefixes that are typically accepted by people’s BGP filters, which is /24.
“Then get on the phone and try to get the hijacker shut down.”
A better way
Miteff said any BGP admin worth their salt aims to protect their network, and their BGP customers, from receiving hijacked prefixes.
There are different methods for doing this, with varying levels of sophistication.
A poor way is to use static filter rules. These are manually maintained lists of prefixes that you expect to receive from neighbours.
These are generally updated by the exchange of emails and phone calls between the BGP admins of ISPs, who know each other by name.
“This is what the local guys tend to do and it’s slow and error-prone,” said Miteff.
“It’s also only feasible to apply to peers and customers, but not really to your transit provider, because they’ll send you all the routes on the Internet and this changes continuously.”
Best practice is to do it the way IS is, using a central, trusted database from an Internet Routing Registry (IRR), like RIPE.
The awesome way is to use the sparsely-deployed capability in routers to cryptographically verify signed BGP updates, said Miteff.
“This is similar to the IRR approach because it requires a PKI-based hierarchy, but it just implements the filtering in a smarter and more scalable way.”
Miteff said he doesn’t know if anyone in South Africa is doing this.
Now read: Part of Internet Solutions’ network hijacked by Russian telecom
Loading ...