29-07-2015 08:51:27

In November 2014 a part of the IP addresses owned by the Dutch Ministry of Foreign Affairs have been hijacked by criminals. Last weekend almost every newspaper and IT websites have published articles about this. The attack used by the criminals is called a “BGP hijack”. What actually is such an attack and how did BIT protect themselves against them?

The networks that make up the internet (for example BIT, Tele2 and Google) link their networks together via direct connections (private interconnections), on internet exchanges (peering) and through special ‘carriers’ (transit). Through these three possible mount points, the networks let each other know which part of the internet (which IP addresses) can be reached on which network. In general this information is shared via the Border Gateway Protocol (BGP). The exchange of BGP information is based on trust. “I trust you when you tell me you are responsible for that part of the internet, so I will send traffic for that part to you.”

Unfortunately, that trust is sometimes betrayed. That is often caused by a mistake of one of the network administrators. The result is that all traffic for certain IP addresses inadvertently goes through or to the network. The most well-known example of this, is the unintentional BGP hijack by Pakistan Telecom in 2008, where they obtained the worldwide traffic for YouTube. You can see the explanation by RIPE NCC in the video below.

Sometimes the actions are deliberate, for instance for financial gain. An example of this was presented in the beginning of this year, where IP addresses of a Bitcoin collector were ‘stolen’ with the goal of intercepting Bitcoin trade related messages. The hijack of the ministry was also intentional. However, it is not exactly clear what the goal of this hijack was. The idea that the Dutch government was unaware of the stolen IP addresses for such a long time, is daunting. How much damage could be done when a criminal would temporarily steal the IP address for a website like digid.nl?

Securing BGP is not easy. The protocol originates from a time where internet security had a limited priority. Moreover, the group of people working with routing was limited with a distinct like knows like culture. And like we have seen with other old internet protocols, building in security afterwards proves difficult. Progress is being made however, in the form of RPKI. But in all honesty, the implementation of such security still has a very long way to go.

Since protection against BGP hijacks is still almost impossible, it is important to monitor whether your network or (a part of) your prefixes (IP addresses) is stolen. BIT has two methods for that, which work simultaneously. The first part is in-house, is managed by us and is a GenieATM. This traffic analysis system detects BGP hijacks in the places where our network connects with other networks and alerts administrators when necessary.

The second part used for detection is external monitoring. BIT employs the BGPmon service, the industrial standard for prefix monitoring. From many locations on the internet, BGPmon receives an overview of the BGP routes that can be seen on any of these locations. BIT provides this information as well. This way hundreds of sensors are set up all over the internet. Deviations on our prefixes are immediately reported to us.

The detection measures we have contributed to, have not led to a BGP hijack notification yet.