Donate
‹ Back
7 February 2014

BGP Hijacking In Iceland And Belarus Shows Increased Need for BGP Security

Dan York
By Dan YorkDirector, Web Strategy & Project Lead, Open Standards Everywhere

Want to understand better why we need to secure the Border Gateway Protocol (BGP) to make the Internet’s routing infrastructure more secure? Just read this article on Wired’s site, “Someone’s Been Siphoning Data Through a Huge Security Hole in the Internet“, or the corresponding post on the Renesys blog, “The New Threat: Targeted Internet Traffic Misdirection“.   The key point is that attackers are abusing BGP to hijack the routing of traffic off to a another network – but without the end-user having any clue that their traffic was diverted.  As noted by Jim Cowie on the Renesys blog:

What makes a Man-in-the-Middle routing attack different from a simple route hijack? Simply put, the traffic keeps flowing and everything looks fine to the recipient. The attackers keep at least one outbound path clean. After they receive and inspect the victim’s traffic, they release it right back onto the Internet, and the clean path delivers it to its intended destination. If the hijacker is in a plausible geographic location between the victim and its counterparties, they should not even notice the increase in latency that results from the interception. It’s possible to drag specific Internet traffic halfway around the world, inspect it, modify it if desired, and send it on its way. Who needs fiberoptic taps?

He goes on to illustrate with an example where traffic was diverted to an ISP in Belarus:

In February 2013, we observed a sequence of events, lasting from just a few minutes to several hours in duration, in which global traffic was redirected to Belarusian ISP GlobalOneBel. These redirections took place on an almost daily basis throughout February, with the set of victim networks changing daily. Victims whose traffic was diverted varied by day, and included major financial institutions, governments, and network service providers. Affected countries included the US, South Korea, Germany, the Czech Republic, Lithuania, Libya, and Iran.

The article shows several graphical examples of how the network traffic was routed though the Belarusian ISP, such as this one:

Renesys map of route hijackingThe Renesys blog post goes on to show examples from a second series of incidents related to an ISP in Iceland, including one where traffic from one network in Denver, Colorado, went to another network in Denver… by way of Iceland!

As both the Wired article and the Renesys post say, the attackers behind these attacks have not yet been identified, and may well never be.  This kind of attack, though, is being seen on an increased basis.

This is why we’ve opened up our new topic area on Securing BGP.  We collectively need to all work together to make the Internet’s routing infrastructure more secure and more resilient against these type of attacks.  We’ll be working over the months ahead to add more content to this site – and we could use your help finding or writing items on our “Securing BGP Content Roadmap”.   If you operate a network router, we would also encourage you to join our Routing Resiliency Survey so that we can help in the effort to collect data about what kind of BGP attacks are being seen.

We need to prevent these type of hijackings from happening – and we need your help to do so!

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

What is BGP Hijacking, Anyway?
What is BGP Hijacking, Anyway?
Mutually Agreed Norms for Routing Security (MANRS)7 May 2018

What is BGP Hijacking, Anyway?

Two weeks ago, we learned about yet another routing security incident, namely the hijack of BGP routes to the Amazon...

ISOC Rough Guide to IETF 93: Routing Resilience
ISOC Rough Guide to IETF 93: Routing Resilience
IETF14 July 2015

ISOC Rough Guide to IETF 93: Routing Resilience

There is considerable work underway across several IETF working groups to ensure the Internet's routing infrastructure is more secure and...

Turkish Hijacking of DNS Providers Shows Clear Need For Deploying BGP And DNS Security
Deploy3601 April 2014

Turkish Hijacking of DNS Providers Shows Clear Need For Deploying BGP And DNS Security

Over the weekend there were extremely disturbing reports out of Turkey of escalations in the attempts by the Turkish government...

Join the conversation with Internet Society members around the world