The Border Gateway Protocol (BGP), a core internet protocol, is wide open to abuse. Attackers can effectively fool other networks into misdirecting internet traffic for the attackers’ gain, be it snooping, phishing, or some other goal.
While many hijacking events are benign and due to misconfigurations, there have been numerous cases in the past few years showing attackers are abusing BGP on a large scale.
A BGP route hijack happens when an internet operator wrongly announces another network’s IP address blocks. In BGP route tables, ISPs are identified by an AS (Autonomous System) number.
SEE: 10 tips for new cybersecurity pros (free PDF)
A problem with the system is that it’s difficult to know for sure whether a BGP hijacking event is actually malicious or just an accident. Researchers have in the past identified highly suspicious events because traffic from major companies like Apple, Amazon, Microsoft, and Google was wrongly rerouted. The other sign is the location and reputation of the ISP that caused it.
Other times, it’s more clear cut that an event is malicious, but internet infrastructure providers can still be wrongly routing traffic according to an attacker’s plan for hours before they can rectify the problem.
The US National Institute for Standards and Technology (NIST) is working on a proposal that could thwart many BGP hijacking events.
It involves Resource Public Key Infrastructure (RPKI) to allow cloud providers and ISPs that hold blocks of internet addresses to control which networks can announce a direct connection to their address block.
It’s also working on BGP Validation so that routers can use RPKI information to filter out unauthorized BGP route announcements.
Researchers at MIT are working on the detection side of the problem using a machine-learning model to “automatically identify Autonomous Systems (ASes) that exhibit characteristics similar to serial hijackers.”
The gist of the effort is to help network operators proactively respond to ISPs that have a track record for bad behavior rather than only reacting to events after they happen. As it is, network operators can only publicly call out bad behavior in network engineering mailing lists and hope other networks help correct the issue.
“Current hijack detection systems typically rely on assumptions of prefix ownership and track origin changes in the global routing table. If an event is detected, the victim network can react and attempt to get in contact with the perpetrator or its upstream networks to solve the problem,” the MIT researchers explain in a paper ‘Profiling BGP Serial Hijackers: Capturing Persistent Misbehavior in the Global Routing Table’, which they’ll present later this month in Amsterdam.
“However, many times this contact is not fruitful or not even possible. At that point, victims of hijacks are only left with the option of publicly disclosing the event in network operator mailing lists in the hope that peer pressure and manual interventions by other networks, such as filtering announcements or refusing to provide transit, will remediate the situation.”
The researchers built the machine-learning detection model based on the assertion that malicious BGP behavior by an actor is sometimes consistent over time. By analyzing actions over time, the researchers aimed to create a scoring system to indicate an operator’s good or bad reputation.
The serial BGP hijackers they focus on are the ASes that have displayed malicious activity in the global routing table for several years.
“We take on a new perspective on illicit BGP activity: instead of looking at individual BGP hijacking events, we study the long-term prefix advertisement dynamics in the global routing table in space and time.”
Specifically, they looked at BGP announcement dynamics of serial hijacker ASes over five years in a bid to identify characteristics that separate them from well-behaved ASes.
One of the serial hijackers in the study, AS197426, or BitCanal, was “effectively cut off from the global internet” last July, according to Oracle-owned Dyn. The Portuguese company was described by a security researcher as a BGP “hijack factory” because of its persistent hijacking activity over the years.
The classifier also identified AS19529 as a hijacker network and AS134190 as a network that shows the most recent indications of potential serial hijacker behavior.
With this knowledge, it would be possible for network operators to deploy systems to automatically discard bad BGP routing announcements rather than relying on mailing lists.
But they also note possible problems with autonomous detection. For example, companies that provide protection against distributed denial-of-service (DDoS) attacks are what they call ‘benign serial hijackers’ because the process of scrubbing DDoS traffic involves BGP hijacking.