BGP Security Efforts Aim to Protect Key Internet Protocol

by Paul Rubens

The Border Gateway Protocol is a cornerstone of the internet, and recent efforts hope to make it more secure.

Border Gateway Protocol (BGP) is a vital cog in the machinery that makes the internet work. But it's also the internet's soft underbelly that hackers can and do exploit to wreak havoc, intercept data, and steal money. Puny humans have been spectacularly bad at protecting this soft underbelly, but the good news is that robots can help us.

Before getting into that, let's get a bit of perspective. BGP, in its various iterations, has been helping data find the best route to get from one place to another on the internet for over thirty years. That's a pretty impressive feat, but like many parts of the internet, it relies on trust.

In this case it relies on Autonomous Systems (ASs) – which are usually ISPs or network entities – announcing routes to blocks of IP addresses that are correct. But sometimes there are BGP route leaks, either due to a genuine configuration error, or as a deliberate ploy to hijack traffic. (A route leak is defined by the Internet Engineering Task Force (IETF) in RFC 7908 as "the propagation of routing announcement(s) beyond their intended scope. That is, an announcement from an Autonomous System (AS) of a learned BGP route to another AS is in violation of the intended policies of the receiver, the sender, and/or one of the ASes along the preceding AS path."

When a route leak occurs, it can lead to the redirection of traffic that may enable eavesdropping or traffic analysis and may or result in an overload or "black hole."

A famous example of a mistake is when Pakistan Telecom attempted to censor YouTube traffic in that country in 2008 by changing its BGP routes for Google's video site. It resulted in all Google traffic ending up in a black hole in Pakistan, and the service becoming unavailable worldwide. A Swiss colo provider made a similarly disruptive mistake in 2019, bringing down WhatsApp, and there have been plenty of other examples over the years.

But there have been plenty of malicious route leaks as well. A Russian provider announced a group of IP addresses that actually belonged to Amazon DNS servers in 2018. The result was that customers of a cryptocurrency site were diverted to a fake one, and many lost money to the scammers because of it.

Measures to strengthen BGP are complicated and slow to be implemented. One initiative is Resource Public Key Infrastructure (RPKI). This is a cryptographic method of signing records that associate a BGP route announcement with the correct originating AS number. RPKI is defined in RFC6480. But RPKI has not caught on in a big way yet – despite Cloudflare's reported attempts to shame ASs into implementing RPKI with a controversial isbgpsafeyet website. Some big organisations like AT&T and Cloudflare have adopted RPKI. Many others haven't.

ASs can also filter route announcements based on rules from the Internet Routing Registry (IRR) system, and attempts can be made to monitor the internet for performance slowdowns which could indicate a leak. These can be partially effective but rely on watching what is going on at any particular time.

Robots to the rescue?

So how can the robots help? Researchers at MIT have been using machine learning for at least a year to analyse BGP routing announcements, and these machine learning systems are able to spot suspicious BGP shenanigans. The researchers say they have spotted about 800 shady networks which may have been hijacking data for months or even years by identifying suspicious characteristics.

These include single sources containing IP addresses from multiple countries, and also the time that blocks stay online: legitimate ones tend to stay active for an average of two years, while malicious ones only last an average of 50 days.

The robots aren't perfect though: a classic form of cyber defense against a DDoS attack is to use BGP to divert malicious traffic to a website to a black hole, so human intervention is needed to discern between malicious activity and attempts to bring a DDoS attack under control, for example.

But the MIT initiative may prove significant, along with RPKI and other measures, in helping us humans nurture the venerable BGP as it lumbers on towards its 40th birthday in 2029.

This article was originally published on Saturday Oct 24th 2020