What Stops a Nation-State BGP Hijack?

Can Nation-State BGP Hijack Parts of the Internet? Yes, a Nation-State BGP Hijack is a threat on the Internet. Nation-States can orchestrate the manipulation of the Border Gateway Protocol (BGP) via “hacked routers all over the world. These routers would then be used to inject bad, misconfigured, or non-authorized routes all over the world. The result Read More

Security Organizations

There are many Security Organizations in the world all working towards the goal of a more secure & resilient Internet. This is an ongoing list of known security organization. Security Groups 10 Years and Older Forum of Incident Response and Security Teams (FIRST) – FIRST is the Forum of Incident Response and Security Teams. The

Recommendation: BGP Ingress & Egress Filtering BCPs

The core BGP Security recommendation is for all BGP Ingress & Egress Filtering to follow BCPs. These BGP Best Common Practices (BCPs) are not confidential. Your peers would be open to share what they do and help you deploy better policies. It is recommended that you inspect your network’s practices and procedures. Review the BCP

Principle: BGP Hijacking Risk Reduction is a Layered Solution

  Reducing the BGP Hijacking risk reduction is a layered solution. Organizations cannot jump into RPKI BGP Security if they have not established the basics for BGP Security.  It must be remembered that projecting against BGP Hijacks is not a “one tool” approach.  All the BGP Security techniques work together. Organizations should view this as

Recommendation: Use Internet Route Registries (IRR)

Use Internet Route Registries (IRR) to register all BGP sessions to your ASN, require all your peers to use the same IRRs, and then script the configurations to update the ingress/egress prefix filtering.  It does not make any sense to have all the BGP sessions undocumented. Internet Route Registries (IRRs) and tools like PeeringDB document how

Recommendation: Deploy Peerlock

Operators who deploy Peerlock will many of the of the route leaking and BGP Hijacking risk. Peer-Lock is an optimized AS-Path Filtering technique. The foundation is not new. We have been using AS Path Filtering for decades. What is new is the approach, using the AS-Path filter together with a written peering agreement.  Does it work?

Recommendation: Grasp the risk from BGP Hijacking

It is really important that ever organization grasp the risk from BGP Hijacking. The CIO, CISO, Security Professional, Network Engineers, and all others in the organization must understand that the BGP Hijacking Threat to their organization is Real.  Miscreants have BGP hijacked critical resources away from the owning organization and caused damage. These BGP Hijacks

Recommendation: All prefixes will have one BGP Community

We have learned in the community that it is safer to have all prefixes with one BGP Community. That means a BGP community will be required for the route to get advertised to a peer. Granted, each prefix might have multiple BGP Communities, but the requirement that each must have at least one BGP community

Recommendation: Use Maximum Prefix Filters on all BGP Sessions

Maximum Prefix Filters are often overlooked in BGP configurations. Don’t overlook BGP Maximum Prefix Filters. They can save your network in a route table explosion crisis. Why? Exploding BGP tables is one of the huge risks to Internet stability. We have had and will have routers which de-aggregate, rapidly increasing the size of the BGP RIB

Tools for BGP Peering, Analysis, Troubleshooting & Monitoring

Tools to troubleshoot routing issues, monitor for BGP Hijacking, and alert when there are major routing issues are critical for any organization who connects to the Internet. This is a guide to help organizations pick tools that are useful.    BGP Stream by BGPMON BGP Stream is a free resource for receiving alerts about hijacks,