An Internet weakness: BGP hijacking

As we were talking before BGP is the protocol that reings the Internet (if you didn’t read the last post, check it out here: https://4geeks.io/blog/have-you-ever-thought-about-how-internet-works/). BGP was created with an idea in mind: connect Autonomous Systems (AS) around the world, but security was not taken into account.

    A simple action as change (as AS) my information about the best route that I know for another AS, it could redirect all the traffic to a “blackhole”. Also it could increase the response time for a site or region in a considerable quantity. These actions are known as: BGP hijacking.

    The BGP hijacking (or IP hijacking) could be generated in an accidentally way or on purpose. In 2008, Pakistan wanted to restrict the access from inside the country to the video site www.youtube.com. There was a misleading configuration that derived in all traffic to Youtube went to Pakistan. For sure, the site was unavailable for a few time until the BGP tables were updated with the correct routes.

    Another similar case, this time from Iran in 2017, was looking for censor some websites to its citizens. The politics were applied and effectively those sites were banned in the country , however this rules were propagated to other AS provoking that users from other countries like China or India couldn’t access to them. Zach Julian made a good analysis about the incident and how the rules were propagated. If want to read it, here’s the link: https://know.bishopfox.com/blog/2017/01/in-the-news-a-bgp-hijacking-technical-post-mortem.

Even all the IP addresses from an entire city could got redirected to a blackhole. Image obtained from: https://www.freepik.com/free-photo/keyboard-social-business-young-person_1088171.htm

    An attack generated on purpose, categorized as a Phishing attack, was detected last year: Amazon’s Route 53 service were hijacked and affected all the traffic that went to this service. The attackers redirected the traffic from MyEtherWallet.com, a cryptocurrency website, to an identical fake side and they stole a small amount of currency. With the attack, the users were entered to the correct address, but they were redirected to a fake server located in Russia.

BGP hijacking as a censorship tool

    As we can see, it’s totally possible to restrict content to a province, state or even a country. In a fictional context of a “cyber war”, a group of attackers could make that sides from a whole country cannot be accessed from other places. This could provoke considerable economic losses while the hijacking is active.

    Also a group of institutions could agree to ban another institution or country from their AS and groups that does not have relation with the agreement could be affected by this. For example: AS1 and AS2 want create a “blackhole” effect in all the traffic that is for AS4, so they will not redirect to that AS. Exists another AS (AS3) that depends on AS1 and AS2 to connect to AS4, but the agreement will not allow the traffic to AS4. It does not matter if  AS3 and AS4 has excellent relation, they will not could connect with each other.

It has happened more than 25 years since BGP creation and the protocol still vulnerable to this kind of attacks. Of course, there are strategies to avoid a possible attack, but the BGP hijacking still active and all the internet structures remains on it. It is necessary to move to another protocol more secure than the actual and one that does not allow the censorship to another AS.

how the internet works

Have you ever thought about how Internet works?

If you are reading this article you have an Internet connection (or a very special power that should be sharing with the world). We know that the data is going to travel from our devices to the Internet and then come backs. But, what is the Internet? Popularly the Internet is a “network of networks”, all the devices that are participating in the Internet are connected to a company that serves that connection. We know them as Internet Service Provider (ISP).

The ISPs connect each other to keep the data traveling from one place to another. As you can imagine, there are a lot of ISP and some of them have better infrastructure than others. Depending of their characteristics, we have tiers that allow us to classify them in Tier 1, Tier 2, and Tier 3.

The Tier 1 ISP allows the communication between each other, they do not bring services to the end user (you and me), and their infrastructures is bigger than other tiers. Can represent big land extensions, for example, continents, and allows the data exchange through sea cables.

Tier 2 ISP are in charge of connect Tier 1 with Tier 3 through agreements. Their size is less than Tier 1 and they could be part of them. Tier 3 conforms Tier 1 and Tier 2 and bring the different services to the end user. Now that we know the different tiers, it surge a big question: how do they allow that communication between each other?

The Autonomous System (AS)

Until this moment we only know about the ISP definition, but there is another important concept that have not been touched: an Autonomous System (AS). Basically, an AS is a system that could change its behavior in response of an unexpected event. At network level, it is a collection of devices that their behavior are under common administrative control. It could be a company, an university, an ISP, a organization or a mix of them.

To allow data exchange, they work under the Border Gateway Protocol (BGP). This protocol is not an automatic one that calculates the best way for the data to get from one point to another, but it takes in count different aspects that could be political or economical.

Many AS have contracts that allow another AS to use their networks to transmit data without cost, this practice is called Peering. On the other hand, when an AS charges to transmit data through its networks is called Transit. These contracts obligate to an AS to choose a route that cannot be the optimal.

Let us think in a little example. AS C is located in Brazil and needs to exchange data with AS Z from Australia. AS C does not know which route have to use. It has two possible options: send the data via AS I that is far away from AS Z, the data has to travel to another AS T before arrives Z, and it is very expensive, or AS M, which is really close to AS Z and the best option to choose. Which option do you think AS C it is going to use to send data? AS M ? No, it decides to send it via AS I.

Visual representation from our example.

The data that pass through AS I also needs to travel through AS T before reach its destination. Vectors graphics designed by Freepik.

AS I was not the best option, but we did not know that the organization in charge of AS C has an economical agreement, which obligates all the data to travel via AS I. In case that AS I gets down, the data will travel via AS M  (the AS C needs to send the data, if the other AS is available, why not send the data through AS M?)

In real life, AS are identified by numbers. Internet Assigned Numbers Authority (IANA) is the nonprofit organization in charge of assign those numbers to each different system. Each region in the world has a register (member of IANA) that has a pool of numbers available to be assigned according to their necessities.

Now you know how the data is transmitted from one side to another. As you could noticed, we have a big political problem: some AS could deny to transmit all the information from a specific AS, many places even countries could be banned from Internet applying this restriction. But this is another topic that we will see in another article.

Search

Join the community!

Name:

Email:

Listen to The 4Geeks Podcast

the 4geeks podcast logo

Lease Your Own IT Team in Latin AmericaGet Quote