BGP Hijacking: The What, Why, How, And More

• The Border Gateway Protocol (BGP) is a routing protocol for data and information transfer on the internet.
• Hijacking this protocol involves an attacker impersonating a network to forward traffic to the attacker-controlled destination.

The what

BGP hijacking is the fraudulent rerouting of internet traffic by taking over IP addresses.

• This type of hijacking is also known as IP hijacking, route hijacking, or prefix hijacking.
• Because this protocol is built on the assumption that the interconnected systems are only providing the IP addresses they own, this hijacking could go undetected for a while.

The why

BGP hijacking is a form of DDoS attack that may used to steal credentials from personal and financial accounts. This is done as a part of a man-in-the-middle attack that sniffs for information on networks. They could also complement advanced phishing attacks or be a part of a disinformation campaign.

The how

An autonomous system refers to a network or a collection of network that a particular organization manages.

• A BGP router will have the best routes between each autonomous system in its routing table.
• As each autonomous system gives the new IP addresses they own, the BGP router updates its table with the shortest and most direct path that involves fewer number of network hops.
• When an autonomous system broadcasts IP addresses that it doesn’t own, there is no way to verify this data in the protocol. As usual, the BGP routers update their tables with the best routes.
• A compromised edge router may announce IP prefixes that are more specific than the legitimate one or offer a shorter path to ensure the redirection of traffic.
• To stay undetected, unused prefixes are used. Hackers use this technique to reroute traffic to their malicious networks.

Signs to watch out for

External services can be employed to watch out for illegitimate announcements to the BGP router.

The hijack may result in a page loading multiple times because the network requests may be traveling a long path. Latency will also rise notably in most cases.

Protective measures

There are monitoring tools available that detect possible BGP hijacking attacks.

• A plan or process that outlines what must be done when a BGP hijack attempt is detected can help.
• Routing and security recommendations are provided in the Mutually Agreed Norms for Routing Security (MANRS) initiative.