Visa, Mastercard, Amazon, and Google are very powerful companies. Yet, they all fell victim to one powerful attack: BGP Hijacking. If you are here, you are curious to understand what is this attack, and what are its dangers. This post answers to those questions, explaining to you how attackers perform BGP hijacking.
BGP Hijacking in simple terms
BGP Hijacking is an advanced network attack, but even if you are new to networking you can understand its basics. Before we dive into that, we need to understand what is BGP, the protocol under attack. Despite exploiting only BGP, this attack is also known as IP hijacking or route hijacking. We will see why in a second.
What is BGP?
BGP is the acronym for Border Gateway Protocol, and it is the only protocol providers use to exchange routing information. It is at the backbone of the Internet, and without it, the Internet would not work. In fact, imagine the Internet as a network of highways. In this network, each highway has the name of the two cities it connects, like London-Birmingham. So, if you are in London, you know you can get to Birmingham hopping on the London-Manchester highway. However, if Birmingham reaches Manchester with Birmingham-Manchester, you will know that only once you get to Birmingham. If you are planning a trip, starting from London, you want to know before if, in order to reach Manchester, you need to start with the London-Birmingham or with the London-Cardiff.
In highways, we solve this problem with road signs. In the Internet, we don’t have cities, but we have clouds instead. Each cloud is a service provider, like Verizon, AT&T or British Telecom. They connect with each other using fast links, and they exchange routing information. In other words, a provider tells the other “You can get to this other provider passing through me”. For example, in the diagram below, AT&T NORAM will tell BT that they have routes to reach both AT&T LATAM and Verizon. Most likely, BT will send the traffic intended to Verizon to AT&T NORAM, that will forward it to Verizon. Instead, since BT is directly connected to AT&T LATAM, they will prefer reaching directly to that cloud.
If you want to learn more about BGP, you should start from this BGP configuration tutorial.
IP or route hijacking?
In the real-world highways, information on road signs is about street addresses. In the Internet highways, the equivalent of street addresses are IP addresses. Routes are nothing more that road signs: instructions on how to get to a group of IP addresses. Keep this in mind as we approach BGP Hijacking.
What is BGP Hijacking?
The Internet is built on trust between providers. A provider communicates the routes it has to the other providers, and they start using them. Imagine that Mastercard connects to Verizon in the example above, and Verizon propagates its IP addresses to the other providers. AT&T and BT will send the traffic destined to Mastercard to Verizon, which will then send it to Mastercard IP addresses.
An attacker would attach a fake Mastercard cloud to another provider and say “Hey, I am Mastercard!” to the others. Since the Internet uses the mechanism of best path, providers closer to the fake mastercard than the real one will start sending traffic intended to Mastercard to the fake. All the attacker has to do is collect the sensitive information that legitimate providers are deliberately sending to it. Taking the previous network as example, if we connect a fake Mastercard to BT, for sure BT will use the fake one. Depending on the configuration, also AT&T users may use that. Instead, Verizon users are still close to the real one and they will use the legitimate Mastercard.
So, the concept is simple: an attacker disguise for a legitimate company to receive information meant for that company.
How to do BGP Hijacking
While the concept is simple, actually performing the attack is not really simple. You can’t simply attach to a provider and say “Now I am Mastercard”, particularly for large providers like Verizon, AT&T, and BT. Furthermore, this is not possible on customer links, so you we don’t have the risk of script kiddies hijacking Mastercard addresses.
Instead, to actually perform the attack, a hacker has to option: own a real service provider, or breach into one. The first doesn’t need much explanation: the attacker is the provider itself. This may be possible for government-backed hijacks in developing countries. For example, routes to a fake MasterCard were advertised to the Internet by a Russian provider during a real attack.
The second, breaching into a provider is tricky, but still possible. Fortunately, it is not easy to do that. The attacker may have to work with social engineering to get physically inside the provider’s facilities, or might work on targeted attacks. In this case, the hacker needs to trick only one provider to establish a BGP session with him. Once the hacker makes a provider believe it is Mastercard, he is also making believe the same Internet the same thing. With no surprise, small providers with low-security measures are the most common targets for that.
Is not as dangerous as it seems
BGP hijacking is dangerous. Period. However, it is not as dangerous as it seems. In fact, it targets only the network. When you communicate with MasterCard, you establish sessions and application sessions: you send some data, Mastercard sends you some data back, and so you can reply. This, however, requires Mastercard to understand what you re saying and reply accordingly.
The attacker only receives traffic intended to Mastercard with BGP Hijacking. Instead, he is not able to craft proper replies in real-time as he doesn’t have the Mastercard’s server. So, it can only breach the tip of the iceberg. HTTPS will simply stop working, you won’t be able to do transactions, but your information may still be safe.
Furthermore, Mastercard and all the other giants have a huge infrastructure. You simply can’t sniff all the traffic meant for Mastercard on a Raspberry Pi. So, the attacker needs the proper infrastructure as well, something standalone hackers don’t have. However, lone hackers may still do the attack to just cause outages (Denial of Service, DoS). Even if they don’t collect data, data doesn’t reach the real target, which suffers an outage.
Thus, BGP Hijacking is a type of attack requiring a high budget and with little to gain to violate the single users. Instead, it may give the attacker precious information to craft a subsequent attack to the targeted enterprise or company. That’s the more realistic danger for BGP Hijacking.
On top of that, it is worth noting that as this attack became mainstream the NIST has developed a standard to make this attack almost impossible. We are talking about Route Origin Validation, and you can see the first draft of the specification on the NIST website. It is for providers to implement, you don’t have to do anything.
Wrapping it up
In short, BGP Hijacking is an attack where a hacker disguises himself for a legitimate company to get traffic meant for that company. However, this attack is hard to perform, costly, and gives the attacker lots of data with low meaning. Thus, this type of attack does not aim to compromise individual users, but rather to collect more information about large enterprises. The attackers will use that information later, to perform other attacks.
What do you think of BGP hijacking? Do you think you have been breached by this attack? Let me know in the comments.
