Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Global BGP Attacks that Evade Route Monitoring

Henry Birge-Lee, Maria Apostolaki, Jennifer Rexford

TL;DR

The paper identifies a fundamental vulnerability in BGP monitoring: if a malicious route is never exported to monitors, it can operate invisibly even while steering significant traffic. It demonstrates a stealthy attack that combines the NO_EXPORT BGP community with sub-prefix hijacks to exploit longest-prefix-match, validated through ethical real-world experiments and topology simulations. Results show the attack can be highly effective, potentially affecting tens of percent of Internet traffic, while remaining undetected by prominent monitoring services. The authors propose mitigations including reconfiguring NO_EXPORT handling, deploying BMP, expanding monitor reach, and leveraging RPKI to strengthen interdomain routing and reduce the risk of such stealthy hijacks.

Abstract

As the deployment of comprehensive Border Gateway Protocol (BGP) security measures is still in progress, BGP monitoring continues to play a critical role in protecting the Internet from routing attacks. Fundamentally, monitoring involves observing BGP feeds to detect suspicious announcements and taking defensive action. However, BGP monitoring relies on seeing the malicious BGP announcement in the first place! In this paper, we develop a novel attack that can hide itself from all state-of-the-art BGP monitoring systems we tested while affecting the entire Internet. The attack involves launching a sub-prefix hijack with the RFC-specified NO_EXPORT community attached to prevent networks with the malicious route installed from sending the route to BGP monitoring systems. We study the viability of this attack at four tier-1 networks and find all networks we studied were vulnerable to the attack. Finally, we propose a mitigation that significantly improves the robustness of the BGP monitoring ecosystem. Our paper aims to raise awareness of this issue and offer guidance to providers to protect against such attacks.

Global BGP Attacks that Evade Route Monitoring

TL;DR

The paper identifies a fundamental vulnerability in BGP monitoring: if a malicious route is never exported to monitors, it can operate invisibly even while steering significant traffic. It demonstrates a stealthy attack that combines the NO_EXPORT BGP community with sub-prefix hijacks to exploit longest-prefix-match, validated through ethical real-world experiments and topology simulations. Results show the attack can be highly effective, potentially affecting tens of percent of Internet traffic, while remaining undetected by prominent monitoring services. The authors propose mitigations including reconfiguring NO_EXPORT handling, deploying BMP, expanding monitor reach, and leveraging RPKI to strengthen interdomain routing and reduce the risk of such stealthy hijacks.

Abstract

As the deployment of comprehensive Border Gateway Protocol (BGP) security measures is still in progress, BGP monitoring continues to play a critical role in protecting the Internet from routing attacks. Fundamentally, monitoring involves observing BGP feeds to detect suspicious announcements and taking defensive action. However, BGP monitoring relies on seeing the malicious BGP announcement in the first place! In this paper, we develop a novel attack that can hide itself from all state-of-the-art BGP monitoring systems we tested while affecting the entire Internet. The attack involves launching a sub-prefix hijack with the RFC-specified NO_EXPORT community attached to prevent networks with the malicious route installed from sending the route to BGP monitoring systems. We study the viability of this attack at four tier-1 networks and find all networks we studied were vulnerable to the attack. Finally, we propose a mitigation that significantly improves the robustness of the BGP monitoring ecosystem. Our paper aims to raise awareness of this issue and offer guidance to providers to protect against such attacks.
Paper Structure (23 sections, 3 figures)

This paper contains 23 sections, 3 figures.

Table of Contents

  1. Introduction
  2. Threat Model
  3. Attack Details
  4. Hiding the Route: NO_EXPORT
  5. Attracting Traffic: Sub-prefix Hijacks
  6. Adversary Strategy
  7. Ethically Launching the Attack
  8. Attack Measurements
  9. Broader Viability of the Attack
  10. NO_EXPORT Behavior at Tier-1 ISPs
  11. Effective Spread of the Attack Using Simulations
  12. Defenses
  13. Changes in BGP Configuration
  14. Use of BGP Monitoring Protocol (BMP)
  15. Increased Scope of BGP Monitoring
  16. ...and 8 more sections

Figures (3)

  • Figure 1: Routing during benign operations (\ref{['subfig:benign']}), a control non-stealthy attack (\ref{['subfig:control']}), and a stealthy attack (\ref{['subfig:stealth']}). Todo: fix figures
  • Figure 2: A CDF of the fraction of traffic sources affected by a stealthy hijack launched by an adversary that installed malicious routes at the four ASes tested in this paper (that all are found to be vulnerable to the stealthy hijack).
  • Figure 3: A CDF of the fraction of traffic sources affected by a stealthy hijack launched by an adversary that installed malicious routes at the top 1, 3, and 5 networks by customer cone size.