Why BGP Hijacking Remains a Security Scourge

The last decade has been riddled with various high-profile malicious Border Gateway Protocol (BGP) hijack incidents. To name a few:

• 2011, a spammer hijacked several blocks of IP addresses from a defunct Russian ISP and used the stolen IP addresses to send spam emails.
• 2013, an anti-spam organisation, Spamhaus, suffered from a malicious BGP hijack incident, which temporarily rendered its blacklist services ineffective.
• Recently, hackers have been seen abusing BGP to redirect crypto-currency users to a fake server allowing them to steal money from these users' virtual wallets.

Border Gateway Protocol is the routing protocol that allows autonomous systems like an Internet Service Provider, a company, or a university to talk to one another. The problem lies in the malware that takes advantage of the implicit trust these autonomous systems show each other.

BGP hijacking is an attack against the routing protocol. It takes control of blocks of IP addresses owned by a given organization without its authorization. The attacker has control then to perform underlying malicious activities (e.g., spamming, phishing, malware hosting) using hijacked IP addresses belonging to somebody else.

Using BGP hijacks, cyber criminals can impersonate their victims' IP identity. It is critical to detect such malicious activity. When a hijacker steals IP identity it can lead to misattributing other attacks, such as denial of service attacks, launched from hijacked networks. When an attack is not correctly attributed to the cyber criminals who launched it, any resulting legal action could be directed at an innocent organization. 

In addition to malicious intent, accidental BGP hijacks are known to occur regularly. They are generally attributed to misconfigurations on internal systems. A few cases have received public disclosure on network operational mailing lists, such as NANOG (North American Network Operators' Group), or blog posts. Techniques to detect these BGP hijacks have been proposed to help network operators monitor their own prefixes, allowing them to react quickly to possible outages.

In 2012, to assess the extent of the threat posed by BGP hijacks on the security of the Internet, Symantec Research Labs (SRL) developed SpamTracer, a tool specially designed for the large-scale study of malicious BGP hijacks. With SpamTracer, SRL collected and analyzed several years of BGP data, and combined it with various threat intelligence data. Over the last few years, SRL has observed a staggering increase to the number of BGP hijacks performed with malicious intent. For example, a 400% increase in the number of hijacks was observed between 2013 and 2014.

Between 2012 and 2014, SRL described in Symantec's annual Internet Security Threat Report (ISTR) various cases of BGP hijacks performed by spammers to avoid spam-sender blacklists. These findings were also reported to the community via major Internet operations conferences, such as RIPE and NANOG, that gather network operators from around the world to discuss Internet security and performance matters.

In 2015, SRL published an extensive study of over three years of data uncovering thousands of malicious BGP hijacks. Their observations include:

• Hijacks are carried out in the form of stealthy, persistent, and large-scale campaigns.
• Attackers were found to stealthily hijack properly registered but unannounced IP address space. In particular, one autonomous system was found to be involved in the hijack of a total of 793 IP address blocks over 16 months.
• Using hijacked IP prefixes is an effective technique for defeating known protections like spam IP blacklists.
• Many hijacked IP address blocks identified refer to organisations that no longer exist.
• A large portion of hijacks exhibited no spam and are believed to serve as a moving infrastructure to host malicious servers.

Finally, evidence suggests that cyber criminals have developed automated tools to perform these campaigns of hijacks, which can last for months.

Since 2012, when Symantec started monitoring these malicious attacks, more than 5.5k malicious BGP hijacks have been observed.

Current approaches to detect BGP hijacks largely suffer from steep false-positive rates. They are also blind to the type of hijacks observed in the wild, such as hijacks of registered though unannounced IP address space. The complete deployment of BGPsec and RPKI-backed ROA’s (Route Origin Authorizations) would prevent these attacks. However, the RPKI deployment is hindered by its high implementation and operational cost. Additionally, the deployment of BGPsec is merely the beginning.

SRL suggest these ideas to help mitigate BGP hijacks:

• BGP hijack detection systems should include signatures for hijacks based on the characteristics uncovered by SRL.
• Announce all IP address blocks even if they are unused.
• A worldwide hunt for orphan IP address blocks should be launched to prevent them from being hijacked and further used for malicious purposes.
• IP address block owners that cease to exist or do not require the IP resources anymore need to return them.
• Internet Routing Registries – a distributed database keeping track of Internet resource allocations – and RPKI data fresh is key to preventing hijacks of orphaned IP address space.
• Autonomous systems identified as invalid or malicious in previous hijacks can be leveraged to identify future hijacks, or even block traffic from and to IP address blocks advertised through the malicious autonomous systems.

Symantec Research Labs can only offer their findings with the hope that autonomous system owners are listening. Unfortunately, adoption of BGP hijack prevention mechanisms is slow. Until BGP hijacks are taken seriously, a secure future for the Internet will remain a distant grail.

If you found this information useful, you may also enjoy:

• Symantec 2018 Internet Security Threat Report (ISTR)
• Understanding the BGP Capability Error Codes