Can Nation-State BGP Hijack Parts of the Internet?
Yes, a Nation-State BGP Hijack is a threat on the Internet. Nation-States can orchestrate the manipulation of the Border Gateway Protocol (BGP) via “hacked routers all over the world. These routers would then be used to inject bad, misconfigured, or non-authorized routes all over the world. The result will cause havoc and chaos on the Internet, Telecoms, Mobile, and all other global communications. This potential “BGP threat” is consistently covered in the press. People express fears that some nation-states are “theorized” to be able to “Hijack the Internet.” This “media hype” is the distraction. These sensationalized articles build fear and provide no tools, actions, or context to help people deploy proper BGP Security. In essence, “BGP fear” without a solution makes the problem worse.
Nation-State BGP Hijack risks are real! But, the way the Internet Operations Community keeps the Internet glued together minimizes the risk. All Organizations can do their part to minimize the Nation-State BGP Hijack. Each organization can do its part in their corner of the Internet. Collectively, this builds a more robust Internet. This post will provide tools that any organization, individual, researcher, or reporter can use to pull back the fear, understand the realities of BGP, and explore meaningful action.
Telecom, Mobile, and Internet have All Merged!
Digging into the realities of BGP will surprise people. BGP was built to glue the Internet together. BGP also glues together all Telecommunications, Mobile, Cloud, IoT & other networks.
Yes, when you use your mobile phone to call people in other countries, BGP is the glue that gets that call across your mobile network, through their gateway, and on to the other party’s mobile network. When we communicate today, we use networks which are all interconnected with BGP.
This makes BGP critical to all communications! CxOs in all Communications Service Providers (CSPs) should be asking their team “what are we doing to safeguard our business from BGP issues?”
BGP Resiliency and Security impact everyone. Don’t take BGP security for granted. Do not follow the BGP Fear, Uncertainty, and Doubt (FUD) you see in the media coverage. There are actions people can take. There are path reporters in the media can dig to get to the “BGP facts.”
What follows are some “BGP factors” that would be helpful for people to consider. The goal is to help many people from all over the world dig into BGP resiliency and security actions which lead to action.
The Internet Topology does not Equal Political Geography
As much as people try, the Internet’s topology and geographic topology are not the same. The Internet is a massive group of Autonomous System Networks (ASNs). Some of these ASNs are huge spanning many countries. Some ASNs are small with just two links to their local ISPs. Internet topology shaped how we interconnect all these ASNs. We make this interconnection easier with multiple Internet Exchange Points (IXPs) all over the world (more on IXPs later).
Before people try to argue the point, yes, there are some countries which control their entry and exit points. We have situations like in Egypt where the country disconnects @ the fiber landing point. But, when this happened, the satellite connections to the Internet continued to work. The Internet was created in the days where “creative interconnection” was at the heart of the emerging technology. Countries which try to “disconnect” are shocked when their blocking efforts are by people who just want to “interconnect.”
Forcing the Internet Topology to match geography will be harder in the future. Integrating these new Satellite Internet systems into mobile devices will give users options for WIFI, 4G, 5G, or satellite (or all three). Added to this are tools which allow device to device (peer-to-peer) networking will make it harder to project “nation-state sovereignty” into the Internet.
Transparency for Internet Routing
The Internet is built to operate with transparency. We use the Border Gateway Protocol (BGP) to interconnect all the ASNs. Each ASN has Internet Operators and Engineers who manage their Interconnections. If they get “full routes,” the have a massive BGP map of the Internet. They can see the BGP changes on the Internet that reach their routers. This is not all the BGP changes, just the ones which pass through the filters.
To get a complete picture, Internet Operators work together to collect BGP data from ASNs all over the world. This “global view of Internet Routing” provides Internet Operators tools to see route advertisements from all over the world. This global Internet routing data is open to the public (and all Internet engineers).
Internet Operators use this data to troubleshoot their connectivity. As a side benefit, the Internet community can figure out when Internet routing is abused. Examples of these public tools are:
-
- RIPE’s Routing Information Service (RIS) https://www.ripe.net/analyse/internet-measurements/routing-information-service-ris. RIS has a tool which can display a route’s history – BGP Play https://stat.ripe.net/widget/bgplay. BGP Play is used to explore what happened when there are possible BGP Hijacks.
- Route Views is another large BGP data repository with participants providing data from all over the world. http://www.routeviews.org/routeviews/
There are several other commercial BGP Monitoring Tools. A keyword search will help you find these.
The Internet Operations Community monitors everything. The community requires transparent monitoring to ensure a healthy Internet. “Route leaks,” “BGP Hijacks,” and other routing problems are disruptive, but visible for everyone to troubleshoot, mitigate, and remediated.
Traceroute and Troubleshoot from Inside ASNs
As the Internet grew, Internet Operators needed to troubleshoot from different points on the Internet. “Troubleshooting” means running a traceroute or ping from locations all over the Internet. The Internet Operations community created an open-source “Looking Glass” servers to help each other provide troubleshooting points.
Looking Glass servers allow someone to explore why packets are moving through one path when they are expected to go through another path. This “packet and path” troubleshooting is a daily activity for Internet Operations Engineers. Most of the time, the troubleshooting is based on Key Performance Indicators (KPIs) other data for customers. “Why are this customer’s packets being routed to Japan and back when they should stay in San Francisco” would be a normal “trouble ticket.” The engineer would use the routing information in combination with Looking Glass servers to troubleshoot why packets are not flowing as expected.
These tools use to troubleshoot are also used to figure out what is happening with route leaks, BGP Hijacks, and other potential routing security issues. The fact that the Internet Operations community can troubleshoot these problems makes it easier to spot, troubleshoot, mitigate, and remediate routing security nonsense.
For example, a customer calls the Network Operations Center (NOC) asking why a traceroute from their network to another network has some IP address that does not belong in the path. The IP address should be on the other side of the planet. That NOC team would check their data, connect to Looking Glass servers along the path, collect data, and then call their peers in the ASN where the weird IP address is showing up. Most of the time, it is a configuration error where some network has old IP addresses. At other times the network could have run out of IP addresses and think “we can use these from this operator on the other side of the planet …. No one is going to notice ….” The key through all of this is the tools the Internet Community provides each other. A NOC in one ASN can jump on the Looking Glass servers from their peers and figure out what is happening, then give them a call to get it resolved.
Yes, there are People who “Run the Internet”
All of the Internet, Telecom, Mobile Operators, and other CSPs (Communications Service Providers) have people who manage their Internet Operations. All of these Internet Operations people talk to each other. In essence, these Internet operators are the people who “run the Internet.”
No, there is no “master authority in charge of the Internet.” What we have instead is a massive collection of INDEPENDENT Autonomous System Numbers (ASNs) who collaborate and interconnect to be INTERDEPENDENT with each other. The Internet Operator in each of these ASNs constantly communicate. They talk to their customers who are connected to them. They talk to their peers whom they interconnect. They talk to their upstream transit peers who provide their global connectivity. They talk to their fellow peers on Internet Exchange Points (IXPs). They meet and talk at Internet Operations Meetings
Internet & Network Operations Groups hold regular meetings all over the world. These meetings are public. Many of these meetings are on Youtube (try searching on NANOG, RIPE, or APRICOT/APNIC). These meetings are the place where Internet Operators present to each other, argue with each other, set up peering with each other, innovate with each other, and get to know each other during breakfast/lunch/dinner.
These are the same people who call each other when there are issues on the Internet. The flow of work overtime builds the best common practices (BCPs to effective work with each other. One of those BCPs is to connect liberally to IXPs.
When there are suspected Nation-State BGP Hijack attempts, this same community works together to investigate, collaborate, mitigate, and work around issues. Most of the time, these Internet issues are not Nation-State BGP Hijack attempts. Most are routing mistake that could have been prevented if organizations did a bit more work. Other routing issues are criminal based, with miscreants launching BGP Hijacks for their criminal gain. All of these BGP routing issues are seen and investigated by the Internet Operations Community who specialize in BGP routing.
The question for all CxOs is “who are their people” who connect to the Internet Routing Community?
Connected to IXPs is a Best Common Practice
IXPs are places to help multiple ASNs all come together to more effectively interconnect with each other. We have IXPs all over the world. Wikipedia has a list of Internet Exchange Points (IXPs). Packet Clearing House, who have maintained the earliest list of IXPs, Telegeography, PeeringDB, and the Network Startup Resource Center. Some ASNs will connect to one IXP. Some ASNs will connect to as many IXPs as possible. It all the depends on a variety of factors around the cost of bandwidth, co-location of the equipment, the value of the peering connections, the ASN’s business objectives, and many other factors.
If you want to learn more about these factors, seek out Bill Norton’s book The Internet Peering Playbook or go to his Dr Peering blog. Bill was one of the key people who illustrated the value of having “peering sessions” at the Network/Internet Operations meetings. He also would run the “peering game” to help ASNs figure out their own peering priorities.
This is why when looking at Nation-State risk, who is connected where across the Internet is one of the factors to consider. But what also must be factored in is all the other ASNs who are also connected.
Again, the Internet model of transparency is the key to understand if there is a risk. Exploring the peering data from PeeringDB.com and the Internet Route Registries (IRRs) contains some data of who is connected to whom. Yes, much of this data is not maintained, which makes the accuracy a problem. This has been a long term debate in the Internet Operations meetings. But it is a tool that has data. In the future, the hope in the Internet Operations community is to have everyone move to Resource Public Key Infrastructure (RPKI).
Each ASN can Take Responsibility for their Routing Security
Through all of this, each Autonomous network (ASN) is responsible for how they interconnect with the Internet. They must follow the essentials just to function on the Internet. Today, they need to deploy BGP routing security to ensure their connection to the Internet is not disrupted. A good list is in BGP Route Hijacks & Routing Mistakes – What can be done Today?
After the ASN protects their network, they can then talk to their Internet Transit operators and peers to ask them to do follow the same practice. They can require any BGP peer requires the peering partner to sign the Mutually Agreed Norms on Routing Security (MANRS). They can require their Cloud operators to sign MANRS. They can go future and register their routes in RPKI and add their Route Objects (and then do the same with their peering partners).
Routing Security on the Internet is everyone’s responsibility.
What happens if an ASN Disrupts the Internet?
ASNs have disrupted the Internet in the past, they will disrupt the Internet in the future. What happens?
The Internet Operations community troubleshoots the problem, mitigates the risk to protect their ASN, and works with their community peers to remediate the problem, then explore how to ensure the “problem” does not happen again. “Mitigation” can and has included “filtering” and “de-peering” with an ASN.
What is “de-peering?” De-peering is when the Internet Community would see an ASN a threat to the community and not pass routes. This happened with the McColo take down in 2008. Any intelligent Nation-State BGP Hijack actor would know that “de-peering” is a reasonable and logical reaction to attacks to the Internet. No government would need to be asked before de-peering would start. Each large ASN would have their own Internet Operations team who would take action to protect their customers. All of these Internet Operations engineer would be talking and collaborating with each other – collectively taking action for their customer and the greater Internet interest.
Could a Nation-State BGP Hijack cause routing problems on the Internet?
Yes. “Nation-State” risk to our customers often part of table-top exercises in many ASNs. Through all these workshops the Internet’s routing transparency and “autonomous networks” control makes these issues resolvable. Would they be hidden? That is often asked and should be continuously asked. For example, what if the routing was layered to obfuscate a traffic hijack? This is explored by ASNs around the world and would be worth continued exploration.
What Can an Organization Do to Minimize Nation-State BGP Hijack Attacks (Conclusion)?
Don’t give into the “BGP fear!” Yes, there is a Nation-State BGP Hijack threat. Press articles will distract people from our #1 Internet/Telecom BGP risk … humans who just don’t care. Organizational and Government apathy is the #1 problem with BGP security and resilience risk today.
How do you get your ISP to Care? Have a Meaningful BGP Security Conversation! There is a guide that every organization can use to have a meaningful BGP Security conversation with your ISPs, Telcos, and Mobile Operators (all Communications Service Providers). Here are two guides anyone can use to help them have “meaningful BGP Security conversations:
- Protecting your Business, Customers, & the Internet from BGP Route Hijacking Chaos?
- BGP Route Hijacking (how to have a CxO level meaningful BGP conversation on the route hijacking risk).
There is always an Internet Routing Risk. These routing risks happen every day by operational mistakes, criminal activities, and malicious intent. Today, these risks are mitigated BCPs and the Internet Operations Community. We can build a safer Internet. All it takes are humans and organizations willing to put in the extra effort to reduce our BGP security risk.