- Border Gateway Protocol (BGP) hijacking, sometimes called prefix hijacking or IP hijacking, occurs when an attacker redirects web traffic away from its intended destination.
- One such attack had lately impacted more than 200 of the world’s largest content delivery networks (CDNs) and cloud hosting providers.
The lesser-known BGP hijacking attack was in the news of late for impacting more than 200 of the world’s largest Content Delivery Networks (CDNs) and cloud hosting providers. The impacted companies were a who’s who of the cloud services and the CDN market, including big names such as Google, Amazon, Facebook, Akamai, Cloudflare, GoDaddy, Digital Ocean, and Joyent.
Most commonly, BGP is used on the internet to exchange routing information between various locations. It is the language that is spoken by routers on the internet to make decisions on the most optimal path to reach a destination. However, due to its antiquated design and lack of adoption of encryption or an automatic verification method, BGP has become the cause of hundreds of outages.
How BGP hijacking works?
BGP hijacking, sometimes called prefix hijacking or IP hijacking, occurs when attackers redirect web traffic away from its intended destination and instead send incoming requests to IP addresses under their control. It is an attack against the routing protocol in which cybercriminals impersonate their victims’ IP identity to perform malicious activities such as spamming, phishing, and malware hosting.
In other words, this attack can be compared to a user sending private information to the wrong address that was provided by an imposter for the delivery of orders. Once the information is emailed to the wrong address, the imposter has it forever and can use it for his malicious purposes.
How prevalent is the attack?
- One of the most remarkable incidents involving BGP hijack occurred in 2018 where the cybercriminals had used the technique to generate $29 million through fraudulent ad revenue. The attack, carried out by an ad fraud gang named ‘3ve’, took control of IP addresses belonging to the US Air Force and other reputable organizations.
- In April 2018, attackers had rerouted almost 1,300 addresses from Amazon Route 53 with an aim to steal cryptocurrency. By subverting Amazon's domain-resolution service, the attackers masqueraded as cryptocurrency website MyEtherWallet.com and stole about $150,000 in digital coins from unwitting end-users.
- In July 2018, the BGP hijacking attack method was also used to target several payment processing companies in the United States and redirect users to malicious websites. The attackers had used rogue DNS servers to return forged DNS responses to users trying to access a certain website.
- In 2019, the traffic going through a public DNS server run by the Taiwan Network Information Center (TWNIC) came under attack and was rerouted for several minutes to an entity in Brazil.
What does MANRS suggest?
Vigilance is the key to prevent such attacks. In 2014, the Internet Society had launched the Mutually Agreed Norms for Routing Security (MANRS) initiative with the purpose of eliminating common routing threats, including BGP hijacking.
MANRS promotes four action points to reduce threats of route hijacking or other types of BGP attacks. These include:
- Global validation - The service providers will have documented routing policies that are available publicly and communicate with their peers.
- Filtering - One of these policies will ensure that only correct routes are announced.
- Anti-Spoofing - Anti-spoofing filtering must be used to only allow the correct source IPs from entering their network.
- Coordination - Service providers’ contact information must be publicly accessible and up to date.