One of the core routing mechanisms of the internet, Border Gateway Protocol (BGP) has been brought to the forefront of news again, after it’s been uncovered an Italian based company assisted in hijacking a range of 256 addresses to assist police in an investigation.
Over the last few years, BGP and it’s lack of security has been in the spotlight, a prime example in late 2014 being traffic destined for Russia curiously routed through China before it’s final destination. A trust based peering arrangement between China Telecom and Russia’s Vimpelcom allowed the abnormality to take place. The peering arrangement in place between China Telecom and Vimpelcom allowed the ISPs to exchange traffic directly over an internet exchange, instead of through normal transit, which ISPs pay for, based on traffic volume. Numerous times since the peering agreement had been initiated, traffic that was originated and destined for Russia flowed through China Telecom’s routers instead of taking the normal ‘best route’.
While this case could have simply been the result of human error, the complexity of BGP and trust based peering creates a lack of security that has been taken advantage of numerous times in the previous decade.
Example of BGP Hijacking
Most recently, it’s come to light that an Italian company that called itself ‘Hacking Team’ helped to orchestrate the BGP hijack of IPs (a /24 subnet) from the now defunct provider Santrex to assist Italian police regain control of several workstations and computers that were being remotely monitored.
From leaked emails, Hacking Team and the Italian police were relying on Santrex when they went out of business in October 2013. Once Santrex stopped announcing the IPs, Hacking Team and Italy’s Special Operations Group were unable to communicate with numerous computers infected with Hacking Team’s proprietary malware. Another Italian ISP, Aruba helped Hacking Team to announce the block (46.166.163.0/24) and bring up a virtual machine that would act & collect data act in the same manner the previous virtual machine at Santrex did. “If everything was done correctly, we should get back the VPS online hoping then that the backdoor is still alive and [the systems] may contact the VPS,” a Hacking Team worker wrote in a machine translated August 2013 e-mail.
BGPlay Screenshot – BGP Graph of 46.166.163.0/24
The above graph shows the BGP network graph during the hijacking, with Aruba announcing the rogue route over the Milan Internet Exchange with at least 5 ISPs accepting the announcement including FastWeb (AS12874), Hurricane Electric (AS6939), Reteivo (AS49605), EasyNet (AS4589) and MC-Link SpA (AS5396).
This resulted in the IP addresses becoming reachable, with the Italian police confirming with Hacking Team they’d recovered contact with 3 of the 4 remote access trojan (RAT) clients. The hijacked route was withdrawn on August 22, indicating the operation was successful, likely reconfiguring the RAT clients to contact a different IP.
This brazen hijack and increasing BGP hijacking instances shows the ease of manipulating the BGP system, and need for policies put into place by ISPs to either penalize, or de-peer ISPs who consistently participate in such. Since peering is based on trust, connections do not require prefix lists, easily allowing a largely peered ISP to arbitrarily announce large amounts of IP space, taking over legitimate traffic, such as the case with Hacking Team and Aruba. Technologies such as RPKI and ROA route signing are not widely deployed and immature at this point in time, making BGP route monitoring more relevant than ever.
Earlier this year OpenDNS acquired BGPmon, a popular BGP monitoring service. On June 30 of this year, Cisco announced its intent to acquire OpenDNS. In addition, at Blackhat this year, OpenDNS announced plans for BGP Stream, a collection of announcements regarding BGP attacks that will be broadcast in real-time for network administrators.