Data Centre

Networks

Net boffins brew poison for BGP hijacks

'ARTEMIS' spots bad deliberately rotten routes and sets things to rights

By Richard Chirgwin

11 SHARE

The Border Gateway Protocol (BGP) is one of the Internet's basic pieces of plumbing technologies, but it's also so old it was designed before the security needs of a multi-billion-user network were understood.

In particular, BGP is notorious for allowing sysadmins to “black-hole” huge swathes of traffic either by fat-fingering route advertisements, or in some suspected cases, maliciously advertising routes that send commercial rivals' traffic into dead zones that kill the user experience.

Which is why a group of researchers from Europe and America reckon they've created a framework that would let service providers neutralize a BGP hijack in minutes.

The researchers, from The Center for Applied Internet Data Analysis (CAIDA), Greek research institute ICS-FORTH, and Telecom ParisTech, outlined their work at arXiv.

The group wrote that their mitigation approach, dubbed ARTEMIS (Automatic and Real-Time dEtection and MItigation System), was made possible by the emergence of public BGP monitoring services that offer real-time streaming.

Using infrastructure such as the RouteViews Project and the RIPE Routing Information Service (RIS), ARTEMIS lets network operators run BGP mitigation in their own infrastructure rather than a third-party service.

Doing so, the authors believe, means operators using the BGP monitoring feeds can respond to a hijack without waiting for manual verification of alerts.

A network operator would configure ARTEMIS with information about its own AS (Autonomous System, a routing unit in BGP), and watch the external feeds for AS-PATH events that affect its network, meaning the system “can detect any class of hijacking event, and generate alerts”.

Alerts raised by ARTEMIS include outputs such as affected prefixes; the type of hijacking attempt; observed impact; the AS Numbers involved, and the detection confidence level.

While ARTEMIS doesn't eliminate a network operator's contact with other operators when a BGP event happens, they also often disaggregate the affected prefix as a response, and it's this step that the system automates.

As explanation of this technique, the paper states:

“For example, upon the detection of a hijack for the prefix 10.0.0.0/23, the network can perform prefix deaggregation and announce two more specific sub-prefixes: 10.0.0.0/24 and 10.0.1.0/24. These subprefixes will disseminate in the Internet and the polluted ASes will re-establish legitimate routes, since more-specific prefixes are preferred by BGP”.

BGP Multiple Origin AS (MOAS) announcements are another part of ARTEMIS's mitigation strategy. MOAS is the practice of outsourcing BGP announcements used in (for example) DDoS defence.

In that model, companies that mitigate attacks “redirect the traffic (using BGP/MOAS or DNS) to their locations and scrubbing centers, remove malicious traffic, and forward/relay the legitimate traffic to the victim”.

If ARTEMIS detects a BGP hijack, the system sends the alert to the mitigation organisation, which announces the location or routers whose prefix is hijacked; this means the mitigation company attracts traffic from the Internet so it can tunnel it back to the legitimate network.

In their experiments, the researchers wrote that ARTEMIS could detect hijacks in as little as five seconds, and “the vast majority of the ASes recover from the hijack within 60 seconds”. ®

Sign up to our NewsletterGet IT in your inbox daily

11 Comments

More from The Register

'Suspicious' BGP event routed big traffic sites through Russia

Google, Facebook and Microsoft routed through PutinGrad, for no good reason

Router admin? Bored? Let's play Battleships using BGP!

Protocol how-to turns into
EPIC AS-vs-AS SLUGOUT

BGP borked? Blame the net's big boppers

Researcher says routes are leaking because ISP giants aren't filtering route info

BGP hijacker booted off the Internet's backbone

Outfit called Bitcanal didn't just camp on addresses, it leased them to spammers

Cisco borked its own BGP code in IOS XE, has since patched

Wanna break the Internet? Start by not patching this problem

Internet boffins take aim at BGP route leaks

Routers should know their place

Google, AWS IPs blocked by Russia in Telegram crackdown

Two million addresses down, 4.2 billion to go - oh, plus the IPv6 address space

Iran: We have defeated evil nuclear-sensing Western lizards!

It's not David Icke, it's Ayatollah Khamenei's former top general

Russia appears to be 'live testing' cyber attacks – Former UK spy boss Robert Hannigan

InfoSec Europe Warns that nation state hacking threatens corporate networks

Brit intel fingers Iran for brute-force attacks on UK.gov email accounts

Russia, you're off the hook