BGP Route Hijacking -What Can Be Done Today?Version 1.2

Barry Raveendran GreenePrinciple Architect – Carrier, Enterprise & Securitybgreene@akamai.com

@Akamai

BGP - the Core Protocol that Glues all of the Internet & Telecom depends on trusting your neighbors.

Neighbors make mistakes. Some Neighbors abuse. Some violate the Neighbors and violate everyone!

Minimizing the RiskWhat are people doing to mitigate

the Risk of BGP Hijacks

Explore the BGP Hijack RiskIf this a common risk or unique? +

How big is the risk?

BGP Hijacking

AKAMAI EXPECTS “BGP/INTERNET EVENTS”, MONITORS IN REAL TIME , & ADAPTS AROUND THE “EVENT.”

BGP Leaks & Hijacks are a daily activity!

Akamai sees 5 - 20 “Possible interesting situations” a day on our infrastructure. Most are network changes we adapt our infrastructure. Some are route leaks. Infrequently we see suspected malicious BGP hijack.

AS 200

AS 400

D

C

E

MAS 100

AS 300

Customer

AS 500

N

X

A

Broken into router advertises Web Server

prefix as a /32

W

BQ

X.Y.Z.0/22X.Y.Z.1/24

All Web traffic forwards to the /32 more specific.

What is a prefix hijack?

What Could Be Worse?

Global Telecoms

• The Miscreant Economy Trades violated “BGP Speaking” routers. Get 20 in different parts of the Internet.

• Take each, pick your targets, and start disaggregating.

• THE INTERNET & TELECOM HAVE MERGED!

• BGP Hijacks are LIFE THREATENING!

What is a prefix hijack?

Global Telecoms

More prefixes, more communities, more as-paths,

more activities (flapping, changes, etc.)

More memory, more FIB capacity, more

RP processing

• Today’s network is all of Telecom + Internet. It is all one technological base … all interconnected with BGP & DNS

• Our Neighbors are global! A business on one side of the planet will force you into OPEX and CAPEX expenditure!

Google Route Leak – 2017-08-25

Large BGP Leaky by Google Disrupts Internet in Japanhttps://dyn.com/blog/large-bgp-leak-by-google-disrupts-internet-in-japan/

BGP leak causing Internet outages in Japan and beyondhttps://bgpmon.net/bgp-leak-causing-internet-outages-in-japan-and-beyond/

Amazon Route 53 – MyEtherWallet – 2018-04-24

Maybe?

BGP Hijack of Amazon DNS to Steal Crypto Currencyhttps://dyn.com/blog/bgp-hijack-of-amazon-dns-to-steal-crypto-currency/AWS DNS network hijack turns MyEtherWallet into Thieves EtherWallethttps://www.theregister.co.uk/2018/04/24/myetherwallet_dns_hijack/

• The AS 10297 upstreams (NTT, Cogent, Level3) & Equinix route server blocked the hijack attack

• Some peers of AS 10297 (Google, Hurricane Electric, BBOI, others) accepted the hijack

• Hijack impact was limited thanks to BGP Filters

DPSTL Brazil (AS 26786) – 2018-04-26

BGP hijacks - Malicious or Mistakes?https://radar.qrator.net/blog/bgp-hijacks-malicious-or-mistakes

ElCAT (AS 8449)– Kyrgyzstan – 2018-05-04

The Day the Internet Survivedhttps://radar.qrator.net/blog/the-day-the-internet-survived

Mistakes with Route Leaks will have National Consequences.

Intentional Hijacks are Worse.

BGP Hijacking - Wide Motivations

● Hijacking for Cryptocurrency Theft (since 2013)

● Hijacking for SPAM● Hijacking for Censorship● Hijacking for Nation State Attacks● Hijacking “just for the fun of it.”

BGP Security

Example from Blackhat - Entire Conference was Hijacked with a MITM to illustrate the risk and the “security professionals” had zero clue what was going on!!!

How can I reduce the risk?

BGP Hijack Minimization

DNS SecurityHigh Resilience aDNS

DNSSEC

Driving for rDNS deployments that support DNSSEC

Minimizing the BGP Hijack Risk

BGP BCPsPeering Circles of BGP BCPs

Internal and External Monitor Tools

BGP EXPERTISE

Partner with Peers who align with your BGP Resilience Agenda

Invest in Rapid Response to BGP Hijacking

Web & Application SecurityComplete the move to HTTPS (TLS).Deployment Resilience Horizontally & Vertically

MANRS+ Global Campaign to Expand the PeerLock++ Circles

PeerLock++ Agreements with all Direct Peers - One ASN Deep

BGP Peering BCPs Do all the ingress/egress policies

New Thinking with Today’s BGP SecurityLAYERED BGP SECURITY

BGPSecurity

RPKI Origin Validation" for BGP updates

Targeted Hijacks Builds Circles of Trust Pushing to Customers

Nation State The Approach Minimizes Global Risk

Leak Instabilities Minimizes normal human error

Principle of Guarded Trust

• SP A trust SP B to send X prefixes from the Global Internet Route Table. • SP B Creates a egress filter to insure only X prefixes are sent to SP A. • SP A creates a mirror image ingress filter to insure SP B only sends X

prefixes.• SP A’s ingress filter reinforces SP B’s egress filter.

ISP A ISP B

Prefixes

Prefixes

Ingress FilterEgress Filter

Explicit Deny BGP Ingress/Egress

• All BGP Sessions Need Explicitly DENY ALL Filters as a Default.

• Explicit Deny filtering logic blocks everything and only permits specifics through the filter.

ISP A ISP B

Prefixes

Prefixes

Ingress Filter (Deny with Exceptions)Egress Filter (Deny with Exceptions

BGP Ingress Policy Checklist1. Dynamic maximum prefix settings2. Reject Bogon & RIR RIR Min prefixes

(RFC1918, etc)3. Reject Bogon ASNs (AS0 / AS23456 etc)4. Reject IXP prefixes (Some IXP subnets)5. Reject leakage with the Peerlock filter6. Match against IRR whitelist (only customers)7. Mark as customer route (or as peer route)8. Scrub internally significant BGP communities9. Apply Features – (blackholing, traffic

engineering, etc, only for customers)

Peer/Transit

Operator

Customer -Down Stream

Prefix Filter

BGP

Pref

ixes

Prefix Filter

BGP

Prefixes

BGP Egress Policy Checklist1. Reject Bogon & RIR Min prefixes2. remove-private-AS3. Reject “bad” routes (RTBH, Sinkholes, Shunts)4. Accept peer routes(on customer session)5. Accept customer routes (on every session)6. Do prepending (if requested & applicable)7. Scrub internal BGP communities8. Set next-hop-self9. Normalize BGP MED

Prefix Filter BGP

Pref

ixes

Prefix Filter

BGP

Prefixes

Peer/Transit

Operator

Customer -Down Stream

The Control Plane Protection Essentials

• Mutually Agreed Norms for Routing Security (MANRS)

https://www.routingmanifesto.org/manrs/• There are core control plane protection essentials which

are the foundation for Internet security and stability. The Operators Security Toolkit provides clue for effective BGP Security: http://www.senki.org/operators-security-toolkit/

Reality Check: The major of ISPs, Telcos, Mobile Operators, and other

Operators are not doing the essentials of BGP Security. That is why it is

so each to execute BGP Hijacks!

MANRS Actions

ADD MANRS Compliance to your Operator’s Internet Services Contract!

Take the MANRS Tutorial

• The Internet Society & the Operator’s Best Common Operational Practice (BCOP) Community as create an online MANRS Tutorial.

https://www.internetsociety.org/tutorials/manrs/

Any organization who BGP Peers must set up appropriate BGP Monitoring

BGP Monitoring

BGP Peer LockPeer Lock is a Peering Technique used to lock down “known” peering relationships from all of your peers.

We know PCCW is not an upstream for AT&T. WeKnow AT&T is not an upstream for PCCW.

We know that:AS_PATH 2914_3491_7018 would be garbage! (NTT_PCCW_AT&T)

Working with your Peers, you can build AS Path Filters which Whitelist KNOWN GOOD BEHAVIOR

BGP Peer Lock – Simple Default Free Rule

WIKIPEDIA Defines the largest DEFAULT FREE Backbones: https://en.wikipedia.org/wiki/Tier_1_network#L

Use that to deploy a filter that would block anyone claiming to be ”transit” for the big backbones.

ip as-path access-list 99 permit \_(174|209|286|701|1239|1299 \|2828|2914|3257|3320|3356 \|3549|5511|6453|6461|6762 \ |7018|12956)_

route-map ebgp-customer-in deny 1 match as-path 99

Peer A

Peer B

Peer C

NTT2419

Peer D

Peer E

Peer Lock Path Logic for Peer A

OK: ^A_OK: ^B_A_NOT OK: ^C_A_NOT OK: ^D_A_

BGP Peer Lock’s Expanding Trust

Normal Peering

Backup Path

Route Leak

Hijack

Hijack

Peer A

Peer B

Peer C

NTT2419

Peer D

Peer E

BGP Peer Lock’s Expanding Trust Deeper

Normal Peering

Route Leak

Hijack

Hijack

Peer Z Peer M

Peer B Expands Peer Lock with Z and M.

The “Peer Lock” Realm has now expanded to Five Operators.

BGP RPKI Origin ValidationBGPSEC & RPKI will register all IPv4 and IPv6 routes in a RPKI Repository.

Operators can then set up their network to validate the routes they receive to ensure the customer, peer, or transit is authorized to send the route.

BGPSEC Operational Roll Out (2019-2020)

The first RPKI BGP Route Origin Validation deployments have started!

BGPSEC is not a theory now. We’re gaining Operational Experience where real customers would be impacted if it does not work.

Trust Anchors ROAs Ignore

Filters Whitelist Router

You Can Take Action!BGP Hijack Resistance is not hard!

• Know the Risk!

• Walk through how your organization will be impacted.

• Start Action

• Meet with your Internet/Telecom providers and create a plan of action.

MANRS+ Global Campaign to Expand the Peer Lock++ Circles

Peer Lock++ Agreements with all Direct Peers - One ASN Deep

BGP Peering BCPs Do all the ingress/egress policies

BGP Security Action ChecklistLAYERED BGP SECURITY

BGPSecurity

RPKI Origin Validation for BGP updates

2. Upgrade your Peering AgreementBuilds Circles of Trust – asking your peers and your Operators what they are doing.

1. Deploy Essentials BGP BCP w/ MANRSGet the basics done first.

3. Start the RPKI ProcessRegister your routes. Ask your Peers and Operator to Register

Questions?

Next Steps – Use the BGP Resiliency Guides”How to secure BGP” is publicly available all over the Internet.

Two Sources to start:

• MANRS – https://www.routingmanifesto.org

• SENKI - BGP Route Hijack – What can be done Today

http://www.senki.org/operators-security-toolkit/bgp-route-hijack/