Data Centre


Net boffins brew poison for BGP hijacks

'ARTEMIS' spots bad deliberately rotten routes and sets things to rights

By Richard Chirgwin


The Border Gateway Protocol (BGP) is one of the Internet's basic pieces of plumbing technologies, but it's also so old it was designed before the security needs of a multi-billion-user network were understood.

In particular, BGP is notorious for allowing sysadmins to “black-hole” huge swathes of traffic either by fat-fingering route advertisements, or in some suspected cases, maliciously advertising routes that send commercial rivals' traffic into dead zones that kill the user experience.

Which is why a group of researchers from Europe and America reckon they've created a framework that would let service providers neutralize a BGP hijack in minutes.

The researchers, from The Center for Applied Internet Data Analysis (CAIDA), Greek research institute ICS-FORTH, and Telecom ParisTech, outlined their work at arXiv.

The group wrote that their mitigation approach, dubbed ARTEMIS (Automatic and Real-Time dEtection and MItigation System), was made possible by the emergence of public BGP monitoring services that offer real-time streaming.

Using infrastructure such as the RouteViews Project and the RIPE Routing Information Service (RIS), ARTEMIS lets network operators run BGP mitigation in their own infrastructure rather than a third-party service.

Doing so, the authors believe, means operators using the BGP monitoring feeds can respond to a hijack without waiting for manual verification of alerts.

A network operator would configure ARTEMIS with information about its own AS (Autonomous System, a routing unit in BGP), and watch the external feeds for AS-PATH events that affect its network, meaning the system “can detect any class of hijacking event, and generate alerts”.

Alerts raised by ARTEMIS include outputs such as affected prefixes; the type of hijacking attempt; observed impact; the AS Numbers involved, and the detection confidence level.

While ARTEMIS doesn't eliminate a network operator's contact with other operators when a BGP event happens, they also often disaggregate the affected prefix as a response, and it's this step that the system automates.

As explanation of this technique, the paper states:

“For example, upon the detection of a hijack for the prefix, the network can perform prefix deaggregation and announce two more specific sub-prefixes: and These subprefixes will disseminate in the Internet and the polluted ASes will re-establish legitimate routes, since more-specific prefixes are preferred by BGP”.

BGP Multiple Origin AS (MOAS) announcements are another part of ARTEMIS's mitigation strategy. MOAS is the practice of outsourcing BGP announcements used in (for example) DDoS defence.

In that model, companies that mitigate attacks “redirect the traffic (using BGP/MOAS or DNS) to their locations and scrubbing centers, remove malicious traffic, and forward/relay the legitimate traffic to the victim”.

If ARTEMIS detects a BGP hijack, the system sends the alert to the mitigation organisation, which announces the location or routers whose prefix is hijacked; this means the mitigation company attracts traffic from the Internet so it can tunnel it back to the legitimate network.

In their experiments, the researchers wrote that ARTEMIS could detect hijacks in as little as five seconds, and “the vast majority of the ASes recover from the hijack within 60 seconds”. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

30 spies dead after Iran cracked CIA comms network with, er, Google search – new claim

Uncle Sam's snoops got sloppy with online chat, it seems

Iran satellite fails: ICBM test drive or microsat test? Opinion is divided...

Third stage failure means atmospheric fireworks show

Baddies linked to Iran fingered for DNS hijacking to read Middle Eastern regimes' emails

'Almost unprecedented' attacks use the old man-in-the-middle diddle – infoseccers

OK Google, why was your web traffic hijacked and routed through China, Russia today?

Updated BGP hijacking committed 'grand theft internet'

Google logins make JavaScript mandatory, Huawei China spy shock, Mac malware, Iran gets new Stuxnet, and more

Roundup Plus, SystemD gets system de-bugged, again

Huawei CFO poutine cuffs by Canadian cops after allegedly busting sanctions on Iran

Exec could face trial in the US for 'cutting deals' with White House's Middle East bête noire

Hey, don't route the messenger! Telegram redirected through Iran by baffling BGP leak

Updated Fat thumb – or government intervention?

Google, AWS IPs blocked by Russia in Telegram crackdown

Two million addresses down, 4.2 billion to go - oh, plus the IPv6 address space

Iran: We have defeated evil nuclear-sensing Western lizards!

It's not David Icke, it's Ayatollah Khamenei's former top general

OK Google, what is African ISP Main One, and how did it manage to route your traffic into China through Russia?

Updated Sub cable biz raises hand, 'fesses up to causing BGP hijack drama