BGP Hijacking

It is more common than we think for routers running on the border gateway protocol (BGP) to be hijacked, the hijackers are then injecting additional hops that redirect large blocks of Internet traffic to locations where it can be monitored and even manipulated before being sent to its intended destination.

 It’s actually making a BGP speaking router do exactly what it is intended to do. All you’re doing is changing the configuration on the router. A normal border router would have normal configuration entries for all the networks you have access to all your customers. This just adds extra lines to a configuration. They can announce these routes to my peers and let them know I can reach this even though it’s fiction. As long as you have access to a border router at an important service provider and you’ve chosen the right place to do this, there’s no malware required.

Financial services organizations, health care, insurance providers, government agencies and other large enterprises for that sake anyone that an attacker can see value in. Attacks take place at the level of the BGP route where blocks of IP addresses, in most cases targeting specific organizations.

 There is some sophistication in the choice of place where you inject these routes from you want to be able to evade whatever filters people have in place to prevent the spread of bad routing. You want to hijack a place that has influential status who are going to propagate to the people whose traffic you want. Most of sophistication in the attack is in the choice of the point where you actually do route injection.

The attackers, meanwhile, can pull of this type of redirection and traffic inspection without much in terms of latency to either end of the web request. Also, unlike traditional man-in-the middle attacks where the bad guy is within physical proximity of the victim, here the attacker could just as easily be halfway around the world. And should the traffic in question be unencrypted, plenty of sensitive business or personal data would be at risk.

The attacker is getting one side of conversation only If they were to hijack the addresses belonging to the web-server, you’re seeing users requests all the pages they want. If they hijack the IP addresses belonging to the desktop, then they’re seeing all the content flowing back from web-servers toward those desktops.

Most companies don’t have the resources, or the expertise for this type of hack consequently it can go on forever. With precedent setting case settlements like Anthem for 115 million we should all be aware of the disastrous effects on a personal and monetary level any type of data compromise can have.

So what do you do?

We feel the answer is BGProtect; our service delivers a unique IP hijack detection. Based on active and passive data plane monitoring of our customers' sensitive IP address space, ensuring its continuous monitoring.

We inform customers, in real-time, about network security and network performance related incidents, and allow them to investigate and mitigate these incidents.

Let me know if you want to learn more.