High time to protect the internet route map: Here are 7 basics
BGP hijacks, hacking the internet route map, continue to happen. Despite years of warnings by security experts. This spells danger for national security, privacy of citizens, and the resilience of the internet, both in Europe and globally.
Published on May 17, 2019
Last year ENISA surveyed a range of large and small providers across the EU, confirming that BGP hijacks are an issue also in the EU: 44% of respondents said that the impact of BGP incidents is high, affecting large numbers of users and last for many hours, and 93% say it needs an urgent fix.
The Border Gateway Protocol, is like a dynamic internet route map, used by network operators to find the best route from one computer to another, across the globe. But it is 25 years old and was not designed with security in mind. The good news is that there are remedies, but unfortunately not all network operators are implementing.
What are recent cases?
Back in 2008, an operator in Pakistan famously BGP hijacked all the world’s Youtube traffic, by accident. Here are three very recent examples of high-profile, high-impact cases:
- In 2018, Google traffic, from people in the west of the USA, was BPG hijacked to go via Russia, to China. Allegedly this was done intentionally and for espionage purposes.
- In 2017, internet traffic to 80 high profile websites (Google, Apple, Facebook, Microsoft, etc.) was BGP hijacked by a (previously dormant) Russian network.
- In 2018, Amazon cloud traffic from a number of Ethereum cryptocoin customers was BGP hijacked. The goal was to steal thousands of euros in cryptocurrency.
Many BGP attacks do not make the news headlines. And there is the risk that attackers use BGP vulnerabilities not only for espionage or financial crime, but to completely disable internet connections, to disrupt society.
What are the risks?
BGP attacks are used for different purposes, ranging from financial crime targeting a few users for stealing crypto coins, to large scale espionage and can even be used to cause crippling internet outages. Our dependency on the internet, increased usage, and an increase in the number and sophistication of cyberattacks, means that the risks of leaving BGP unsecured are very high.
ENISA recommendations for BGP security
Following up on the BGP security survey of 2018, ENISA discussed with experts in the telecom sector over the last months, to compile a shortlist of basic security measures:
- Monitoring and detection: Monitor the routes used by your internet traffic to detect anomalies, not only to guarantee resilience but also for the privacy and security of subscribers;
- Coordination: It is crucial to coordinate with peers, by publishing route policies and partaking in peering databases;
- Prefix filtering: It is important to filter prefixes that should never be announced or forwarded in your network, both on ingress and egress network traffic;
- Path filtering: It is important to filter BGP AS path attributes for items that should not be allowed in BGP route announcements to into or out of your network;
- Bogon Filtering: It is important to filter out bogus prefixes (also called bogons), as these prefixes should never appear in BGP announcements;
- Time-to-live security (GTSM): It is important to implement TTL security, which makes it harder attack BGP sessions;
- Resource Public Key Infrastructure (RPKI): It is important to implement RPKI and digitally sign route announcements to allow peers to check that announcements are authentic and authorized.
These 7 steps are relatively simple and effective to shore up BGP. Electronic communications providers, but also all the other organizations who manage a so-called Autonomous System (which implements BGP) should as a minimum adopt and implement these 7 measures.
For the full report: 7 Steps to shore up BGP
Background information
BGP is 25 years old and was not built with security in mind, i.e. it inherently trusts every network operator to have good intentions and not make mistakes. Every operator can simply announce it has a fast and short route. Naïve BGP implementations simply accept such announcements. BGP hijacks, both intentional and unintentional, have been happening for years. There are several industry efforts advocating for additional security (such as https://www.manrs.org/ and the recent proposal by RIPE). But implementation does not happen across the board and cyber attacks targeting BGP vulnerabilities continue to happen (see above for a few examples).
This work on BGP security was done in the context of Article 13a of the Framework directive, which asks EU Member States to ensure that providers take appropriate security measures to protect their networks and services.
In the last 10 years ENISA collaborated closely with the EU Member States and experts from national telecom regulatory authorities (NRAs) which supervise this part of the EU legislation, under the ENISA Article 13a Expert Group. The ENISA Article 13a Expert group, meets 3 times per year to discuss and exchange information about security in the electronic communications sector. See: https://resilience.enisa.europa.eu/article-13
Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!
News items:
http://www.enisa.europa.eu/media/news-items/news-wires/RSS
PRs:
http://www.enisa.europa.eu/media/press-releases/press-releases/RSS