Yes, we can minimize the BGP Hijacking Risk
Every day we see something new about the global security threat. It is hard to keep track of all the various ways your network can be attacked. But there are some threat-vectors which need particular attention. "Did you know that a threat-actor with 20 BGP speaking routers can cause massive disruption in telecommunications all over the world?" "Did you know that someone on the other side of the planet can BGP hijack you traffic here in ASEAN?" Yes, there are attacks which can threaten the entire Internet.
These were the opening remarks in a September 2018 talk at Singapore International Cybersecurity Week (SICW). The room was full of ASEAN and Asian security professionals from governments, large corporations, and vendors. They have been through two days of sessions with "officials" talking about cybersecurity problems. Yet, this was the first talk that started with "here is how to cause massive disruption on the Internet." Their next question was "what is Border Gateway Protocol?"
What is the Border Gateway Protocol (BGP)?
BGP is the glue for Internet and Telecommunications together. Think of BGP as the glue that holds everything together. Everything on the Internet is interconnected with BGP Internet. Today, all mobile communications use BGP to interconnect with the Internet and each other. Other telecommunications services also use BGP in some shape or form. In essence, BGP has become one of the most important tools which interconnect everything." Leaders are waking up that the world of Mobile, Telecoms, and Internet have merged. The glue that holds is all together is the Border Gate Protocol. If BGP is attacked, the impact is beyond losing access to Facebook. It is losing access to voice and other critical services.
Understanding today Internet/Mobile/Telecom world requires a core understanding of how we organize networks. Each organization is grouped into an Autonomous Systems (ASN number). We interconnect our ASNs with BGP sessions which "peer" with each other. When you use your mobile phone, that mobile operator would have BGP peering sessions with other mobile operators, cloud operators, and the rest of the Internet. The service that mobile operator provides is disrupted if that BGP peering is disrupted or someone advertises garbage, unauthorized routes, or 'de-aggregates' the Internet. The BGP protocol and approach have served the Internet and all other telecommunications networks. BGP provides the technology and business flexibility that facilitates creative scaling all over the world. What few realize is the extent of BGP fragility we all have to live with.
BGP Hijacking - Direct Risk to All Connected Organizations
BGP Hijacks are today's most visible "interconnection" risk. BGP Hijacking happens when someone advertises an IPv4 or IPv6 prefix from a place on the Internet for which they are unauthorized to hijack. If you use the illustration above, "Customer N" is authorized to advertise the prefix X.Y.Z.0/22. In this illustration, someone breaks into a BGP speaking router in AS 200 and advertises the X.Y.Z.0/24. That advertise would have all the ASNs next to AS 200 start sending their packets to AS 200 vs the customer. The Threat-Actors who have broken into Router Q can now pretend to be the "Customer."
BGP Hijacking is not a theoretical attack. Look at the MyEtherWallet Incident from April 2018 as an example:
Anatomy of a BGP Hijack on Amazon's Route 53 DNS Service (Thousandeyes)
BGP Hijack of Amazon DNS to Steal Crypto Currency (Dyn/Oracle)
Shockingly, if you ask CIOs and CISO throughout the world "do you have reaction plans in place to respond to a BGP Hijacking attack," the response you are most likely to get is "what is BGP?"
The security ignorance around one of the riskiest elements of our Internet infrastructure is scary.
Reducing the BGP Hijack Risk - Ask Questions
The first steps to reducing the risk of BGP Hijacks is through simple questions any CxO, department head, or manager can ask their team. These questions foster a discovery dialog that will turn into a plan of action. None of these questions are hard, require a "BGP Ph.D.," or is hard to understand. All it takes is for Enterprise and other Organizations to start asking questions.
CxOs all over the world should be asking their team simple questions:
Q. How are we protecting our BGP Routes on the Internet?
Do we have a plan or a process in place if someone tries to hijack one of our prefixes? What are the services someone can hijack? Could they BGP hijack our DNS Authoritative service?
Q. How do we make sure we don't make a BGP mistake?
How do we make sure we do not advertise "YouTube?" Human mistakes and misconfiguration are the most common "BGP errors." My of the suspected "BGP Hijacks" turn out to be a misconfiguration, an error in a configuration script, or "BGP skills" needed to craft a policy. Yet these mistakes happen all the time. A CxO asking "how do we minimize BGP mistakes" is important. The Pakistan Telecom - YouTube incident end up with a self-inflicted Denial of Service (DOS) where all traffic for Youtube headed to Pakistan. What happens if the same thing happens with a Bank?
Q. Explain to me in simple terms, our BGP based interconnection policy?
How do we connect to? Has anyone written down our BGP Peering Policy? How do we know it works as we expect? If something breaks what do we do? Who do we call in our ISPs if something is not working?
Q. What is our BGP Crisis Reaction Plan?
What do we do when someone tries to BGP Hijack us from the other side of the planet? BGP Hijacks do not need to be local. All it takes is for some Threat-Actor to find a BGP speaking router in some ASN in the world, break into that router, then modify the BGP advertisements. This happens all the time. CxOs, you can be sitting on one side of the world and the BGP hijack happens on the other side of the world. You cannot resolve this on your own. You are going to need help from your ISPs.
Q. How would we know if we're being attacked through a BGP Hijack?
There have been many times where a phone call is received by the Operations team with someone saying "hey, do you know your services are being redirected by a BGP Hijack?" Do we have BGP tools to monitor our services? There are options in the community which are available. Ask your ISPs or your Cloud partners what they do to monitor for their BGP Hijacks. You might be able to use their same tools.
Q. What help can our ISPs offer during a BGP Hijack?
BGP Hijacks cannot be mitigated or investigated in isolation. An alliance of all your ISPs, Cloud Operators and peers is needed to help pinpoint and mitigate the hijack. Don't wait for the BGP Hijack to have a conversation with your ISP. Proactively have the conversation, know which people to call, and walk through "what if" scenarios. Explore what can be done jointly to minimize the threat, preventing a business damaging outage.
Q. What are your ISPs Plans for BGP Security?
There is a progressive list of BGP Security actions each ISP can take to minimize the BGP Hijacking risk. This progressive list starts with the BGP Security Best Common Practices (BCPs). Just doing the BGP Security BCPs will significantly reduce the BGP Hijacking risk.
Next is the ISP's commitment to Internet security through the Mutually Agreed Norms on Routing Security (MANRS). MANRS is a collection of best practices agreed to by major Operators around the world. MANRS is a commitment to each other that a signatory will deploy core security essentials which include BGP Routing Security. Imagine the impact of Banks around the world asking their ISPs to be MANRS compliant?
BGP Peer-Lock and Resource Public Key Infrastructure (RPKI) Route Origin Validation are the next levels of ISP's BGP Security activity. Both add to the security of the Internet and adds additional layers of BGP Hijack resilence. Both are worth an Enterprise's conversation with their ISPs. It paints a picture of the ISP's thinking and commitment to BGP Hijack Resiliency.
Enterprises asking ISPs "How do you Protect us from BGP Hijacks?"
Think of the consequences as you go through the BGP "Hijacking" Risk Reduction questions. First, these questions should not be a surprise with Telcom and ISPs around the world. They are legitimate questions with is part of the service you are buying from your providers. Second, they often become the "justification" for the staff in the ISP to take action. "We have five top customers all ask us about BGP security. Boss, we think it is time to take action." Finally, the simple BGP Hijack Security dialog will put everyone on a watchful stance. People will notice when someone tries to deploy a BGP Hijack. The industry decreases its response time to these hijacks all because CxOs in Enterprise network around the world is asking the question ..... "How are we protecting ourselves from BGP Hijacks?"