Finding the best way to get from Point A to Point B is easy if you’re drawing a straight line on a piece of paper, but when Point A is your computer and Point B is a website halfway around the world, things get a bit trickier.
In the latter case, Border Gateway Protocol (BGP), the routing protocol used by the global internet, is used to find the best path by weighing the latest network conditions based on reachability and routing information. BGP manages how data packets get delivered between the large networks that make up the internet and makes it possible for the internet as we know it to operate efficiently.
What is Border Gateway Protocol?
BGP has been called the glue of the Internet and the postal service of the internet. One comparison likens BGP to GPS applications on mobile phones. If you were driving from Boston to Los Angeles, the GPS app decides the best route possible using existing knowledge of road conditions, traffic jams, and whether you want to travel on a toll road. Sometimes, the shortest path is not always the best path. BGP is like having a continuously updated map of the internet from which routers choose the best path at the time.
The definition of BGP from the IETF states that its primary function “is to exchange network reachability information with other BGP systems.” When it’s working smoothly, BGP makes these separate systems work in harmony to create the internet.
The internet has been called a network of networks, in which groups of individual networks managed by a large organization connect with other groups of networks managed by other large organizations. These network groups are known as autonomous systems (AS), and the large organizations with AS status include ISPs, large government agencies, universities, and scientific institutions.
Each AS creates rules and policies for how traffic moves within its network. Your home computer may be part of the AS being managed by your ISP, and it handles the traffic to and from any other nodes within their AS. But if you are trying to access a site beyond the AS, then BGP gets involved.
AS organizations arrange peering agreements among themselves that allow traffic to travel between their networks. BGP routers at the edge of AS networks advertise to their peers the prefixes of IP addresses that they can deliver traffic to. These advertisements are made regularly through network-prefix announcements that are used to update each router’s routing table.
Autonomous-system peering agreements
BGP routers use decision-making algorithms and policies established in AS-peering agreements to analyze the data they gather via the prefix announcements and choose which peer is best to send each packet stream to at any given time. For the most part, the path with the fewest number of network hops is selected, but due to congestion and delay, another, longer route may actually be faster. Once the traffic moves across an AS and reaches another BGP router connected to a different AS, the process repeats itself until the data reaches the AS where the destination site is located.
In most cases, in order to connect to the internet, computers, phones, and other devices use ISPs. The networks of these access providers connect to progressively larger ISP networks until they finally have access to the internet backbone. Traffic from a starting point goes up through the network hierarch to the backbone and then back down again to the destination IP address.
(BGP can also be used for routing within an AS, but it’s not necessary because there are other routing protocols that serve just as well. When it is used, it is called Interior Border Gateway Protocol, internal BGP (iBGP).)
In order for network operators to control routing within their own networks and to exchange routing information with other ISPs, autonomous system numbers (ASN) are used. These numbers are assigned by the Internet Assigned Numbers Authority (IANA) and distributed through regional internet registries to ISPs and other network operators. Like an IP address, an ASN includes both 16-bit (two-byte) and 32-bit (four-byte) numbers. As of January 2021, there are nearly 100,000 ASNs worldwide, with about 29% of them located in the U.S.
What is BGP hijacking?
With ASNs continually joining the Internet and providing new routes for traffic, the number of BGP advertisements increases, creating a larger and larger attack surface. Because BGP assumes that each AS is telling the truth about the IP addresses it owns and the routing information it shares, this has led to a problem known as BGP hijacking.
With this attack, adversaries manipulate BGP routing tables to have a compromised router advertise prefixes that have not been assigned to it. If those false advertisements indicate that a better path is available than the legitimate path, traffic may be directed that way—only the path leads to malicious servers that could steal credentials, download malware, and execute other damaging activities. And all the while end users think they are visiting legitimate sites.
A high-profile case of BGP hijacking occurred in 2018 when a Russian ISP falsely announced a number of IP prefixes that actually belonged to a group of Amazon DNS servers. Users attempting to login to a cryptocurrency site were redirected to a counterfeit site where hackers were able to steal about $152,000 in cryptocurrency.
In another well-documented incident, Pakistan Telecom, in its role as an ISP, attempted in 2008 to censor YouTube by advertising its own BGP routes to the site so users attempting to reach it would be blocked. However, the new routes were also announced to the ISP’s upstream providers, which then got broadcast to the rest of the Internet. As a result, Web requests for YouTube were directed to Pakistan Telecom, which not only resulted in a massive outage for the site and but also overwhelmed the ISP.
How to fight BGP hijacking
There are several strategies for defending against BGP hijacking, including using IP address-prefix filtering that blocks inbound network traffic from networks known to be controlled by malicious actors. Another is BGP hijack-detection monitoring, which looks for suspiciously increased latency, degraded network performance or misdirected Internet traffic that could flag hijacking attempts.
BGPsec
A security extension, BGPsec uses cryptographic verification for advertised routes and lets backbone routers apply digital signatures to their route-update advertisements. This makes it more difficult for unauthorized attackers to advertise bad routes for ASes, as well as prevent misconfigurations. However, implementation of this would require the entire internet to adopt it, and almost at the same time. Imagine announcing that the entire internet needs to go down for 10 minutes in order to update itself, and you can see how well that will go over with everyone.
MANRS
Nevertheless, there is hope. In September 2020, a group known as Mutually Agreed Norms for Routing Security (MANRS) created a task force to help content-delivery networks and other cloud services adopt filters and cryptography to secure BGP. The group, which was formed in 2014, aims to “commit to the baseline of routing security defined by a set of six security-enhancing actions, of which five are mandatory to implement.”
The actions:
- Prevent propagation of incorrect routing information
- Prevent traffic with illegitimate source IP addresses
- Facilitate global operational communication and coordination
- Facilitate validation of routing information on a global scale
- Encourage MANRS adoption
- Provide monitoring and debugging tools to peering partners (optional).
MANRS is promoting the use of routing public key infrastructure (RPKI), a public database of routes that have been cryptographically signed to prove their trustworthiness. While users of RPKI publish the routes they offer and check the database to confirm others’ routes, the system can only eliminate leaks and outages if everyone is using it. Otherwise, in order to keep the internet moving, BGP routers will be forced to accept advertisements that are not validated.
Another company is going the public shaming route to try to convince companies to support RPKI. At the website “Is BGP Safe Yet?”, launched by Cloudflare, users can get updates on ISPs that are implementing RPKI and read an FAQ on the situation. More importantly, they can click a button to see whether their ISP is safe or not.
While this site may come off as a publicity stunt, its existence points up the ongoing seriousness of the problem.
(Keith Shaw is a freelance technology journalist who has been writing for more than 20 years on a variety of technology topics, including networking, consumer electronics, robotics and the future of work.)