What incidents with the Border Gateway Protocol can be identified over the past few years

From theft of cryptocurrency to failures in the Internet.

/ photo Javier Allegue Barros Unsplash



Border Gateway Protocol (BGP) is a dynamic routing protocol. Along with the DNS, it is one of the main mechanisms that ensure the functioning of the Internet.



The idea of ​​creating it came up with two engineers from Cisco and IBM in 1989. Having met at dinner, they painted the basic concepts of the protocol on two napkins . The ideas recorded in the cafeteria were refined and later decorated in the form of the IETF standard .

')

The final version of the BGP was presented in 1994, and since then it has remained almost unchanged.



With BGP, ISP routers exchange information about network availability. This approach allows us to determine the optimal route for transferring packets between autonomous systems . However, BGP does not have built-in routing verification mechanisms. An error that has gotten into the provider’s routing table (due to software failure or hacker actions) can lead to global network failures.



Back in 1998, a former member of the hacker group L0pht testified before the US Congress. Then he suggested that an attack on BGP could “put” the entire Internet within 30 minutes.



Today, information security professionals log thousands of incidents involving BGP. Most of them are minor, but there are quite large cases.

2014 - theft of cryptocurrency

Experts from the information security division of Dell recorded 22 hacker attacks related to the redirection of the traffic of nineteen Internet service providers. The attackers attacked BGP routers, hacking the service account of an employee of a Canadian telecom company.



One of the goals was the mining pools of the WafflePool network, whose members united to make cryptocurrency. The computers connected to the system were redirected to a substitute command server that transferred the cryptocurrency generated by them to the accounts of hackers. Each attack lasted no more than 30 seconds. But even in such a short time, the attackers managed to steal bitcoins and altcoins for an amount equivalent to 83 thousand dollars. At the current rate of cryptocurrency, which has grown substantially since then, they can be estimated at hundreds of thousands of dollars.

2017 - Internet shutdown in Japan

For about an hour, the Internet in the Land of the Rising Sun worked intermittently. Google experts made a mistake when setting up the BGP protocol, incorrectly announcing blocks of IP addresses of Japanese providers. As a result, other global operators, including major telecommunications companies like Verizon, sent Japanese traffic to Google’s servers. Their machines were not designed for routing, and the packages just went "nowhere."





/ photo Liam Burnett-Blue Unsplash

As a result, many services turned out to be inaccessible in Japan, including the websites of government organizations, reservation systems, etc. Users could not connect to Nintendo servers and several marketplaces.

According to specialists from BGPMon, which offers a BGP monitoring tool, the NTT Communications Corp provider suffered the most, its client base of seven million users (although the exact numbers of the damage suffered by the provider were not disclosed).

2019 - European traffic went to China

A month ago, an error in BGP routing led to the fact that the traffic of several European providers went for two hours through the networks of the Chinese company China Telecom. More than 70 thousand routes were redirected - the networks of the Swiss company Swisscom, the Dutch KPN, as well as the French Bouygues Telecom and Numericable-SFR suffered.



The clients of the companies could not conduct transactions with bank cards. WhatsApp interruptions were also observed. While experts do not know whether this was a technical failure or the result of a hacker attack on the Internet infrastructure.

2019 - Internet failure around the world

The incident affected such large companies as Cloudflare, Facebook, Apple and Linode. Reddit, the Twitch platform, the Discord messenger, and the Downdetector service, which tracks crashes on the Internet, have also suffered.

The reason is a leak of BGP routes and a Verizon telecom error. All traffic went through the data center of a small provider in Pennsylvania - DQE Communications, which did not cope with the load.

DQE Communications used the BGP Optimizer tool. It optimizes the speed of packet delivery to customers by dividing large IP blocks into small parts. But for some reason, DQE transferred these routes to one of its customers, who had a transit connection configured for Verizon. A large provider began to broadcast incorrect information to the entire Internet. Leak blocked over three hours.

How to strengthen BGP

To reduce the number of incidents involving BGP, several tools are being developed today. For example, since 2014, work has been carried out on a code of practice to increase BGP security - MANRS (Mutually Agreed Norms for Routing Security). These are peculiar “rules of good tone” when exchanging routes in the network. The participants of the MANRS program (today there are about 170 of them ) pledge to prevent the dissemination of incorrect route information and provide tools for finding and fixing possible problems.





/ photo Brendan Church Unsplash



Also in 2017, the National Institute of Standards and Technology (NIST), together with the US Department of Homeland Security, began developing standards for protecting routes on the Internet. Last year, organizations published a tool that will help Internet providers fight BGP hijacking attacks. The system is called ARTEMIS and marks the substitution of routes in a few seconds.



Now the authors of MANRS and the developers of ARTEMIS are faced with the task of ensuring that global Internet providers introduce new tools and practices. Cloudflare analysts noted that route verification systems on the Verizon network would help prevent large-scale crashes.



Some large providers are already introducing best practices - among them, AT & T , NTT Communications and NetNod . Experts hope that in the future they will become only more.

---

Additional reading on the topic from our Telegram channel:

• Find out in 60 seconds: what is Security-as-a-Service
• Cloudflare became bad the second time in two weeks
• Why storm the internet
• Ridiculous cases in IT: element, stupidity and heroism
• Three largest DDoS attacks of the decade