BGP hijacking is a malicious rerouting of Internet traffic that exploits the trusting nature of BGP, the routing protocol of the Internet.
After reading this article you will be able to:
Related Content
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
BGP hijacking is when attackers maliciously reroute Internet traffic. Attackers accomplish this by falsely announcing ownership of groups of IP addresses, called IP prefixes, that they do not actually own, control, or route to. A BGP hijack is much like if someone were to change out all the signs on a stretch of freeway and reroute automobile traffic onto incorrect exits.
Because BGP is built on the assumption that interconnected networks are telling the truth about which IP addresses they own, BGP hijacking is nearly impossible to stop – imagine if no one was watching the freeway signs, and the only way to tell if they had been maliciously changed was by observing that a lot of automobiles were ending up in the wrong neighborhoods. However, for a hijack to occur, attackers need to control or compromise a BGP-enabled router that bridges between one autonomous system (AS) and another, so not just anyone can carry out a BGP hijack.
BGP stands for Border Gateway Protocol, and it is the routing protocol of the Internet. In other words, it provides directions so that traffic travels from one IP address to another as efficiently as possible. An IP address is the actual web address of a given website. When a user types in a website name and the browser finds and loads it, requests and responses go back and forth between the user's IP address and the IP address of the website. DNS (domain name system) servers provide the IP address, but BGP provides the most efficient way to reach that IP address. Roughly speaking, if DNS is the Internet's address book, then BGP is the Internet's road map.
Each BGP router stores a routing table with the best routes between autonomous systems. These are updated almost continually as each AS* – often an Internet service provider (ISP) – broadcasts new IP prefixes that they own. BGP always favors the shortest and most direct path from AS to AS in order to reach IP addresses via the fewest possible hops across networks. Learn more about BGP >>
An autonomous system is a large network or group of networks managed by a single organization. An AS may have many subnetworks, but all share the same routing policy. Usually an AS is either an ISP or a very large organization with its own network and multiple upstream connections from that network to ISPs (this is called a 'multihomed network'). Each AS is assigned its own Autonomous System Number, or ASN, to identify them easily. Learn more about autonomous systems >>
BGP makes the large-scale growth of the Internet possible. The Internet is made up of multiple large networks that are interconnected. Because it is decentralized, there is no governing body or traffic cop laying down the best routes for data packets to travel to their intended IP address destinations. BGP fulfills this role. If not for BGP, web traffic could take huge amounts of time to reach its destination due to inefficient routing, or would never reach the intended destination at all.
When an AS announces a route to IP prefixes that it does not actually control, this announcement, if not filtered, can spread and be added to routing tables in BGP routers across the Internet. From then until somebody notices and corrects the routes, traffic to those IPs will be routed to that AS. It would be like claiming territory if there were no local government to verify and enforce property deeds.
BGP always favors the shortest, most specific path to the desired IP address. In order for the BGP hijack to be successful, the route announcement must either:
1) Offer a more specific route by announcing a smaller range of IP addresses than other ASes had previously announced.
2) Offer a shorter route to certain blocks of IP addresses. Additionally, not just anyone can announce BGP routes to the larger Internet. In order for a BGP hijack to occur, the announcement must be made by the operator of an AS, or by a threat actor who has compromised an AS (the second case is more rare).
It may seem surprising that the operator of a large network or group of networks, many of which are ISPs, would brazenly undertake such malicious activity. But considering that by some counts there are now over 80,000 autonomous systems globally, it is not surprising that some would be untrustworthy. Additionally, BGP hijacking is not always obvious or easy to detect. Bad actors may camouflage their activity behind other ASes, or may announce unused blocks of IP prefixes that are not likely to be noticed in order to stay under the radar.
As a result of BGP hijacking, Internet traffic can go the wrong way, be monitored or intercepted, be 'black holed,' or be directed to fake websites as part of an on-path attack. In addition, spammers can use BGP hijacking, or the network of an AS that practices BGP hijacking, in order to spoof legitimate IPs for spamming purposes. From a user perspective, page load times will increase because requests and responses will not follow the most efficient network route, and may even travel all the way across the world unnecessarily.
In the best-case scenario, traffic would just take an unnecessarily long route, increasing latency. In a worst-case scenario, an attacker could be conducting an on-path attack, or redirecting users to fake websites in order to steal credentials.
There have been many real-world examples of deliberate BGP hijacking. For instance, in April 2018, a Russian provider announced a number of IP prefixes (groups of IP addresses) that actually belong to Route53 Amazon DNS servers. In short, the end result was that users attempting to log in to a cryptocurrency site were redirected to a fake version of the website controlled by hackers. The hackers were thus able to steal approximately $152,000 in cryptocurrency. (To get more specific: Via BGP hijacking, the hackers hijacked Amazon DNS queries so that DNS queries for myetherwallet.com went to servers they controlled, returned the wrong IP address, and directed HTTP requests to the fake website. Read more in our blog post: 'BGP leaks and cryptocurrencies'.)
Inadvertent instances of BGP hijacking are prevalent as well, and they can have a negative impact on the entire global Internet. In 2008, the Pakistani government-owned Pakistan Telecom attempted to censor Youtube within Pakistan by updating its BGP routes for the website. Seemingly on accident, the new routes were announced to Pakistan Telecom's upstream providers, and from there broadcast to the whole Internet. Suddenly, all web requests for Youtube were directed to Pakistan Telecom, resulting in an hours-long outage of the website for almost the entire Internet, and overwhelming the ISP.
Aside from constant monitoring of how Internet traffic is routed, users and networks can do very little to prevent BGP hijacks.
Most networks should only accept IP prefix declarations if necessary, and should only declare their IP prefixes to certain networks, not the entire Internet. Doing so helps prevent accidental route hijacking and could keep the AS from accepting bogus IP prefix declarations; however, in practice this is difficult to enforce.
Increased latency, degraded network performance, and misdirected Internet traffic are all possible signs of a BGP hijack. Many larger networks will monitor BGP updates to ensure their clients do not face latency issues, and a few security researchers do in fact monitor Internet traffic and publish their findings.
BGP was designed to make the Internet work, and it certainly does that. But BGP was not designed with security in mind. More secure routing solutions for the Internet as a whole (such as BGPsec) are being developed, but there is no adoption of them yet. For the time being, BGP is inherently vulnerable and will remain so.
Cloudflare has data centers in 330 cities spread out across the world, all of which broadcast one ASN (AS13335) and the same IP prefixes. This minimizes the number of networks traffic needs to cross in order to reach a Cloudflare-hosted IP addresses. As a result, efficient paths to Cloudflare-owned IP addresses are available from almost anywhere in the world. For an AS in Japan, the shortest path to a Cloudflare IP may be only a couple of network hops away, ending in a local Japan-based Cloudflare data center. In California, traffic could go to the same IP address, hosted within the same Cloudflare AS, and end up reaching it via a Californian data center.