Border Gateway Protocol (BGP) hijacking, sometimes called prefix hijacking or IP hijacking, occurs when an attacker redirects web traffic away from its intended destination.
One such attack had lately impacted more than 200 of the world’s largest content delivery networks (CDNs) and cloud hosting providers.
The lesser-known BGP hijacking attack occurred late, affecting more than 200 of the world’s largest Content Delivery Networks (CDNs) and cloud hosting providers. The companies affected were those in the cloud services and CDN markets, including big names such as Google, Amazon, Facebook, Akamai, Cloudflare, GoDaddy, Digital Ocean and Joyent.
Typically, BGP is used to exchange routing information between different locations on the Internet. It is the language that is spoken by routers on the Internet to decide on the most optimal path to reach a destination. However, due to its ancient design and adoption of encryption or lack of automated verification method, BGP has caused hundreds of outages.
How does BGP hijacking work?
BGP hijackers, sometimes called prefix hijacking or IP hijacking, occur when attackers redirect web traffic away from their intended destination and instead send requests coming to the IP address under their control. It is an attack against routing protocols in which cybercriminals call their victims’ IP identities to commit malicious activities such as spamming, phishing and malware hosting.
In other words, this attack can be compared to sending a private user to the wrong address, which was provided by an importer to place an order. Once the information is emailed to the wrong address, the importer has it forever and can use it for its malicious purposes.
- One of the most remarkable incidents involving BGP hijack occurred in 2018 where the cybercriminals had used the technique to generate $29 million through fraudulent ad revenue. The attack, carried out by an ad fraud gang named ‘3ve’, took control of IP addresses belonging to the US Air Force and other reputable organizations.
- In April 2018, attackers had rerouted almost 1,300 addresses from Amazon Route 53 with an aim to steal cryptocurrency. By subverting Amazon’s domain-resolution service, the attackers masqueraded as cryptocurrency website MyEtherWallet.com and stole about $150,000 in digital coins from unwitting end-users.
- In July 2018, the BGP hijacking attack method was also used to target several payment processing companies in the United States and redirect users to malicious websites. The attackers had used rogue DNS servers to return forged DNS responses to users trying to access a certain website.
- In 2019, the traffic going through a public DNS server run by the Taiwan Network Information Center (TWNIC) came under attack and was rerouted for several minutes to an entity in Brazil.
What does MANRS suggest?
Vigilance is the key to preventing such attacks. In 2014, the Internet Society launched a mutually agreed Norm for Routing Security (MANRS) initiative aimed at eliminating common routing threats, including BGP hijacking.
- Global validation – The service providers will have documented routing policies that are available publicly and communicate with their peers.
- Filtering – One of these policies will ensure that only correct routes are announced.
- Anti-Spoofing – Anti-spoofing filtering must be used to only allow the correct source IPs from entering their network.
- Coordination – Service providers’ contact information must be publicly accessible and up to date.