{"id":211430,"date":"2017-06-26T14:30:40","date_gmt":"2017-06-26T12:30:40","guid":{"rendered":"http:\/\/mybroadband.co.za\/news\/?p=211430"},"modified":"2017-06-26T14:32:39","modified_gmt":"2017-06-26T12:32:39","slug":"how-to-stop-bgp-hijacking","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/internet\/211430-how-to-stop-bgp-hijacking.html","title":{"rendered":"How to stop BGP hijacking"},"content":{"rendered":"

Network traffic meant for Visa, Mastercard, Symantec, Verisign, and Internet Solutions was recently hijacked<\/strong><\/a> by state-owned Russian operator Rostelecom.<\/p>\n

This is not the first time an incident like this has happened, with IS’s ADSL network\u00a0wiped off the Internet<\/strong><\/a> in 2013 when a local operator hijacked its address space.<\/p>\n

Such hijacking is often inadvertent and due to human errors in border gateway protocol (BGP) configurations.<\/p>\n

Among the steps IS has taken to prevent its network prefix from being hijacked again is using the RIPE database to enforce route exchange policy with its upstream peers.<\/p>\n

\u201cWe use different tools to proactively monitor for these occurrences and adjust our responses according to the attack vector,\u201d said IS.<\/p>\n

How BGP hijacking works<\/h3>\n

Computer networking expert Simeon Miteff said that BGP hijacking is easy, provided the attacker participates in the BGP routing game.<\/p>\n

A hijack can be done by exploiting the standardised BGP route selection algorithm that runs on Internet routers.<\/p>\n

\u201cIf someone else advertises your route, theirs will win out in all parts of the Internet that is closer to them, in terms of BGP hops,\u201d said Miteff.<\/p>\n

A more severe attack is to advertise more specific routes than the victim by subdividing their network prefix, or range of IP addresses.<\/p>\n

For example, a prefix like 196.32.0.0\/21, which contains 2,048 addresses, could be advertised as two prefixes with 1,024 addresses each, ending in the \/22 subnet mask.<\/p>\n

This is also how a service provider like IS might mitigate an attack.<\/p>\n

First, you must monitor BGP. From there, you can deaggregate your prefixes into the most specific sub-prefixes that are typically accepted by people\u2019s BGP filters, which is \/24.<\/p>\n

\u201cThen get on the phone and try to get the hijacker shut down.\u201d<\/p>\n

A better way<\/h3>\n

Miteff said any BGP admin worth their salt aims to protect their network, and their BGP customers, from receiving hijacked prefixes.<\/p>\n

There are different methods for doing this, with varying levels of sophistication.<\/p>\n

A poor way is to use static filter rules. These are manually maintained lists of prefixes that you expect to receive from neighbours.<\/p>\n

These are generally updated by the exchange of emails and phone calls between the BGP admins of ISPs, who know each other by name.<\/p>\n

\u201cThis is what the local guys tend to do and it\u2019s slow and error-prone,\u201d said Miteff.<\/p>\n

\u201cIt\u2019s also only feasible to apply to peers and customers, but not really to your transit provider, because they\u2019ll send you all the routes on the Internet and this changes continuously.\u201d<\/p>\n

Best practice is to do it the way IS is, using a central, trusted database from an Internet Routing Registry (IRR), like RIPE.<\/p>\n

The awesome way is to use the sparsely-deployed capability in routers to cryptographically verify signed BGP updates, said Miteff.<\/p>\n

\u201cThis is similar to the IRR approach because it requires a PKI-based hierarchy, but it just implements the filtering in a smarter and more scalable way.\u201d<\/p>\n

Miteff said he doesn\u2019t know if anyone in South Africa is doing this.<\/p>\n

Now read: Part of Internet Solutions\u2019 network hijacked by Russian telecom<\/a><\/h3>\n","protected":false},"excerpt":{"rendered":"

Here\u2019s what ISPs can do to guard against their network prefixes being hijacked.<\/p>\n","protected":false},"author":15,"featured_media":160024,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18],"tags":[21486,35,20077,43296,42874,43294],"class_list":["post-211430","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-internet","tag-border-gateway-protocol-bgp","tag-headline","tag-internet-solutions-is","tag-ripe","tag-rostelecom","tag-simeon-miteff"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/211430"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=211430"}],"version-history":[{"count":1,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/211430\/revisions"}],"predecessor-version":[{"id":215844,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/211430\/revisions\/215844"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/160024"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=211430"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=211430"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=211430"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}