Border Gateway Protocol (BGP)

BGP is an application layer protocol (OSI Layer 7) that defines how routers exchange routing information. It uses path-vector routing (as opposed to distance-vector or link-state).

Attack tree: Disrupt or manipulate BGP routing

1. Prefix Hijacking

    OR Gate (Choose one method):

        1.1 Sub-Prefix Hijacking (More specific route)

        1.2 Exact-Prefix Hijacking (Same route, spoofed AS)

        1.3 ROA Bypass Attack (Exploit RPKI misconfigurations)

2. AS-Path Manipulation

    OR Gate:

        2.1 AS-Path Prepending (Fake path inflation)

        2.2 Ghost AS Insertion (Hide malicious AS)

        2.3 AI-Generated Path Spoofing (Evade heuristics)

3. Denial-of-Service (BGP Session Attacks)

    OR Gate:

        3.1 TCP RST Injection (Kill BGP sessions)

            AND Conditions:

                No TCP-AO/MD5

                Attacker on-path

        3.2 Route Flap DDoS (Flood updates)

4. Traffic Interception (Espionage)

    AND Gate (Requires multiple steps):

        4.1 Prefix Hijacking (OR from Section 1)

        4.2 AS-Path Manipulation (OR from Section 2)

        4.3 Decryption/Passive Snooping (MitM position)

5. Exploiting RPKI Weaknesses

    OR Gate:

        5.1 Stale ROA Attack (Use expired ROAs)

        5.2 Fraudulent ROA Registration (Social engineering RIRs)

6. Cross-Protocol Attacks

    AND Gate (BGP + Another vulnerability):

        6.1 BGP + DNS Hijacking

            OR Sub-options:

                Redirect DNS resolvers

                Poison DNS cache via fake routes

        6.2 BGP + CDN Manipulation

            Force traffic through malicious edge nodes

7. AI/ML-Assisted Attacks

    OR Gate:

        7.1 Automated ROA Gap Scanning

        7.2 ML-Generated AS-Path Spoofing

8. Supply Chain Compromise

    AND Gate (Requires access + exploitation):

        8.1 Compromise ISP/IXP (OR: Hack, Insider Threat)

        8.2 Propagate Malicious Routes

BGP hijacking (Route leaks & prefix hijacking)

Attack Pattern: Adversaries announce illegitimate routes to redirect traffic through malicious networks for:

  • Traffic interception (e.g., espionage, credential theft).

  • DDoS amplification (e.g., blackholing, man-in-the-middle).

  • Cryptocurrency theft (e.g., rerouting blockchain traffic).

Real-World Examples

  • 2021: Russian ISP “DDoS-Guard” Hijacks Financial Traffic; Redirected traffic from Mastercard, Visa, and Western banks through Russian servers. Suspected espionage motive.

  • 2022: Chinese State-Linked BGP Manipulation: China Telecom briefly hijacked US military and EU government traffic. Traffic was rerouted through Chinese networks before returning.

  • 2023: Ethereum BGP Attack ($20M Cryptocurrency Theft): Attackers hijacked ASNs belonging to AWS and Google Cloud to intercept blockchain API calls. Modified transactions to steal crypto from exchanges.

Why It Works

  • No cryptographic authentication in BGP (still relies on trust).

  • Lack of RPKI (Route Origin Authorization) adoption (~30% of routes are cryptographically validated).

Mitigation

  • Deploy RPKI (Resource Public Key Infrastructure) to validate route origins.

  • BGP monitoring (e.g., Cloudflare Radar, BGPMon, Qrator).

  • MANRS (Mutually Agreed Norms for Routing Security) compliance.

BGP route leaks (Accidental or malicious)

Attack Pattern

  • A network incorrectly propagates routes it shouldn’t, causing traffic to flow through unintended paths.

  • Can be accidental (misconfigurations) or intentional (for interception).

Real-World Examples

  • 2021: Google & Facebook Disappear from the Internet: A Nigerian ISP (MainOne) leaked Google & Facebook routes, causing global outages. Traffic was briefly rerouted through China and Russia.

  • 2023: Russian Telecom “Rostelecom” Leaks Routes: Redirected European traffic through Russia, raising espionage concerns.

Why It Works

  • Lack of route filtering (many ISPs accept routes without validation).

  • No penalty for misconfigurations.

Mitigation

  • Route filtering (IRR databases) to prevent leaks.

  • BGP communities to control route propagation.

BGP blackholing (DDoS weaponization)

Attack Pattern

  • Attackers announce victim IPs with a “blackhole” community tag, causing ISPs to drop traffic.

  • Used for censorship or competitive sabotage.

Real-World Examples

  • 2022: Anonymous vs. Russian Banks: Hacktivists hijacked BGP routes of Sberbank and VTB Bank, blackholing their traffic.

  • 2023: Iranian Government Silences Protesters: Iran’s state ISP blackholed Twitter and WhatsApp routes during protests.

Why It Works

  • Many ISPs automatically honor blackhole requests without verification.

Mitigation

  • Require manual approval for blackhole requests.

  • Monitor for unexpected route withdrawals.

BGP side-hijacking (Partial traffic interception)

Attack Pattern

  • Attackers announce more specific (longer) prefixes to intercept a subset of traffic.

  • Harder to detect than full hijacks.

Real-World Examples

  • 2023: Russian GRU-linked Group Hijacks Ukrainian Telecom: Intercepted military and government traffic via more-specific routes.

  • 2024: Cybercriminals Steal AWS API Keys: Hijacked /24 subnets of cloud providers to intercept unencrypted API calls.

Why It Works

  • BGP prefers more specific routes, even if illegitimate.

  • Many networks don’t filter small prefixes.

Mitigation

  • Filter /24 and longer prefixes unless explicitly allowed.

  • Use encrypted communications (TLS, VPNs) to prevent interception.

BGP timed attacks (Short-lived hijacks)

Attack Pattern

  • Attackers announce malicious routes for just minutes to evade detection.

  • Used in financial fraud (e.g., stock market manipulation).

Real-World Example (2024) Wall Street Trading Firm Targeted: A 5-minute BGP hijack rerouted trading API traffic, causing $50M in spoofed trades.

Why It Works

  • Most BGP monitoring tools only detect persistent hijacks.

  • No real-time enforcement in many networks.

Mitigation

  • Real-time BGP monitoring (e.g., RIPE RIS Live).

  • Financial firms should use dedicated, secured links.

defence recommendations

For Networks & ISPs:

  • Mandate RPKI (Route Origin Authorization).

  • Join MANRS (Mutually Agreed Norms for Routing Security).

  • Filter bogus routes (e.g., too-specific prefixes, private ASNs).

For Enterprises:

  • Use encrypted tunnels (IPSec, WireGuard) for critical traffic.

  • Diversify transit providers to reduce single-point failures.

For Governments:

  • Regulate BGP security (e.g., FCC’s proposed BGP mandates).

  • Share hijack intelligence via organizations like FIRST.

Thoughts

Border Gateway Protocol (BGP) attacks have become increasingly sophisticated, with state-sponsored actors, cybercriminals, and hacktists exploiting BGP’s trust-based design.