IP hijacking, a lesser known cyber attack with devastating consequences

Author: Jose Monteagudo, CEO, Smartrev Cybersec

During recent years and particularly during the last few months we have been hearing about serious cyber attacks on financial institutions all across the planet.

A whole spectrum of cyber events including malware, distributed denial of service (DDoS), record-breaking data breaches, sophisticated spear-phishing attacks feature among others.

To name a just few, we might highlight the 2012 DDoS attacks, the 2013-2015 Carberp Trojan stealing over a billion dollars, the 2014 attack on JPMorgan and the 2017 record data breach on Equifax and last but not least, the worrying 2016 attack on Swift that might have ended up being the largest attack in history if it not been for a minor typo issue.

Unfortunately, criminal organizations have been targeting, and will continue to do so, financial institutions as the information they possess might be easily monetized by either stealing from bank accounts or selling it into the Dark Web.

Financial institutions are investing heavily in cyber-security but it does not seem to be enough to cope with this problem that for some might be considered an epidemic.

So, although these recent events have been bringing awareness of the importance of the problem, there is a type of attack that has been flying under the radar, is less known by financial institutions and some banks consulted by Smartrev Cybersec do not even know that it is possible.

We are talking about Internet Protocol (IP) hijacking also known by the name of one of its variants Border Gateway Protocol (BGP) hijacking.

Background and definitions

Let’s start with some definitions to understand the problem.

Firstly, the well-known Internet is just a jigsaw puzzle of what are called Autonomous Systems (AS) which are interconnected. In 2016 there were over 54000 AS.

The Border Gateway Protocol, BGP is basically an inter-AS routing mechanism that allows the exchange of network reachability information. This protocol is controlled by the Internet Engineering Task Force, (IETF) and defined in detail in RFC-4271. BGP has been in operation since 1994.

In BGP, network nodes are called peers, and those peers exchange routing information among each other and cooperate to have a global picture of the whole internet (where all the IP networks are located and how to reach them). This global picture is called the routing table. At the end of 2017 a routing table included over 691k IP version 4 (IPv4) networks.

How BGP works

A BGP peer learns routes from different neighbours both internal and external to the AS. Based on this routing information, included in the routing table, a BGP router decides what path is the best towards a particular destination, and for each known destination, sends this single best route to its peers.

This selection of the best route follows a complex algorithm, including up to 13 different criteria but in the interest of simplicity, for this article we will just highlight two important concepts: the more specific preferred routes as well as those with the shortest AS path.

The following figure shows at a very high level how BGP works.

Figure 1: how BGP works

As we can see in figure 1, AS 1 owns network or prefix 80.56.0.0/16. It announces this network using BGP to its peer in AS 2. For the BGP router in AS 2, the path to network 80.56.0.0/16 is through AS 1. It then conveys this information to its peer in AS 3 using the BGP protocol. This way, BGP routers in AS 3 will know how to route IP packets to network 80.56.0.0/16.

What is BGP hijacking

What happens if for a few minutes, a router in AS 4 starts announcing the ownership of network 80.56.0.0/16?

Depending on how it announces these networks or prefixes, and based on the logic of the BGP best path algorithm, it might convince its BGP peers that it is the best path to reach route 80.56.0.0/16.

This would be a BGP hijacking and it is basically the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables.

Another example might be the case of routers in AS3 receiving BGP information from Route 80.56.0.0/24 via AS4. Being both a more specific prefix and a shorter AS Path, they would wrongly route IP information bounced to 80.56.0.0/24 prefix through AS4.

Industry initiatives to mitigate the problem

There are several initiatives to secure BGP and to ensure that Internet Service Providers (ISP) can only announce those networks they actually legitimately control.

Within those initiatives we have the Resource Public Key Infrastructure (RPKI) that protects against prefix hijacking by associating an IP address range with an autonomous system number (ASN) through cryptographic signatures but there are ways to circumvent RPKI and it is also gaining traction slowly. RPKI is described in RFC-8210.

Another solution is BGPsec, but it has implementation challenges. BGPsec is specified in RFC-8206. Besides, it could be a long time before every single AS migrates to BGPsec.

Recent Incidents

There have been several incidents generated by IP hijacking involving financial institutions in recent years.

Probably the most famous happened in April 2017, involving several financial institutions, most notably Visa and Mastercard.

Also, cryptocurrencies have been a target for IP hijacking, in particular Bitcoin. Although Bitcoin has several thousand nodes, from a routing perspective it is pretty centralized, making it very sensitive to IP hijacking.

A large mass scale BGP hijack happened on December 2017, when an unused Autonomous System (AS39523) started to announce routes belonging to Google, Apple, Facebook, Microsoft, NTT Communications and Twitch, among others. This event was divided into two short lived events lasting three minutes. Whether this was intentional or a configuration accident remains to be proven.

Moreover, in May 2019, traffic to a public DNS run by Taiwan Networks Information Center (TWNIC) was routed to an entity in Brazil (AS268869, Fibra Plus Telecomunicações LTDA EPP) and in June 2019 large European mobile traffic was routed through China Telecom (AS4134, CHINANET-Backbone).