BGP: Basics

BGP Basics - Route Announcement

The three networks (AS 1, 2 and 3) here wanted to communicate with each other. As a result, they tell each other how to route traffic to themselves. This is called a route announcement.

BGP Basics - Announcement (II)

Subnets with a smaller size will be preferred more than subnets of a larger size. Therefore for these two subnets (e.g. 10.0.0.0/8 and 10.0.0.0/24), the route for smaller one (e.g. /24) will be more likely selected by others.

BGP Basics - Best Path Selection

The routers choose their best path to each other by considering the AS path, that is the number of networks needed to cross before reaching the destination.

BGP Basics - Best Path Selection

There are several requirements for an AS path to be the best path. One of them (also the most important) is the path length. Some other factors include the routing preference and multiple exits discriminator (MED).

What if?

A hacker take control of AS 100 through some means and change the BGP configuration?

Redirecting Traffic

The hacker controls AS 100 and announce a new route 172.16.1.0/25 which should belong to AS 300.

Redirecting Traffic

AS 200 see the new route and starts to reroute traffic of 172.16.1.0/25 (a portion of 172.16.1.0/24 that is from AS 300) through AS 100.

Redirecting Traffic

AS 100 can now intercept traffic to 172.16.1.0/25 (a portion of network of AS 300) and even modify the data transmitted to targets located in AS 300.

It can do serious impact and you may not even realize!

In Real Life

The "hacker" can be government agents, data thieves and network engineers who misconfigured their routers.

It can be hard to distinguish between a misconfiguration from a hijack.

BGP Hijacking of AWE of UK

Ukrainian ISP, Vega, hijacked some IP space of the Atomic Weapons Establishment of UK, intercept traffic in between before returning to its final destination.

BGP Hijacking of AWE (cont.)

The hijacked network contains mail server and VPN gateway of the AWE which is responsible for atomic weapons research in UK.

BGP Hijacking of AWE (cont.)

Coincidentally, the hijacked IP contains mail servers of Royal Mail, a postage service company in UK.

Confidential emails can be leaked.

vDOS Hijacked by BackConnect

Internet security firm and DDoS mitigation provider BackConnect, hijacked Verdina Ltd. by announcing a subset of its IPs. Apparently, the IP space belongs to vDOS who provides stress testing services.

BackConnect's Hijacking Attempts

Usually, DDoS mitigation provider do BGP hijacking to redirect attack traffic to their scrubbing centres. BackConnect's short hijack duration makes this unlikely.

BackConnect's Hijacking Attempts

BackConnect even tries to hide its hijacking attempts through a long AS path. Its suspicious behaviour are uncommon for an internet security company and it may suggest they're mining data through such hijacks.

Iran Leaks Censorship

The Iranian state Telecom announced a set of IP (99.192.226.0/24) which contains numerous pornographic websites. The announcement leaked into the Internet and caused chaos.

Iran Leaks Censorship

The intent of the Iranian government is to block these websites nationally, however it gets out through Omantel and it becomes blocked internationally. This is the power of BGP hijacking.