Criminals, Nation-States Keep Hijacking BGP and DNSWhile Exploitable Protocols and Processes Persist, Adoption of Secure Fixes Lags
The internet is composed of a series of networks built on trust. Unfortunately, that trust can be abused due to weaknesses in older protocols, such as Border Gateway Protocol and the Domain Name System, which were never designed with security in mind.
See Also: Beginners Guide to Observability
BGP distributes routing information, enabling routers to connect users with specific IP address prefixes. DNS works like a phone book, translating text into IP addresses. And both are being exploited by criminal gangs and nation-state actors (see: St. Louis Fed Confirms DNS Hijacking).
"BGP and DNS are the soft underbelly of the web," says Alan Woodward, a professor of computer science at the University of Surrey. "BGP is totally based upon trust at present, and if that is broken - by mistake or deliberately - then routing can be subverted. There are initiatives to try to secure BGP, such as Secure Inter-Domain Routing, but they will take a long time to be universal."
Secure Inter-Domain Routing is an Internet Engineering Task Force initiative to create infrastructure that it says would allow an entity "to verifiably assert that it is the legitimate holder of a set of IP addresses or a set of Autonomous System (AS) numbers."
Until fixes for exploitable protocols are in place, expect criminals to keep calling.
Last April, would-be virtual currency thieves caused a BGP leak, poisoning DNS resolvers to seize control of IP addresses and intercepted cryptocurrency wallet data (see: Cryptocurrency Heist: BGP Leak Masks Ether Theft).
Last November, an apparent BGP hijack made Google's internet traffic route via internet service providers in Nigeria, Russia and China, any of which could have eavesdropped on it. But Nigerian ISP MainOne quickly took the blame, saying the rerouting was due to it making an inadvertent BGP routing error (see: Who Hijacked Google's Web Traffic?).
"I hope this latest fiasco of traffic rerouting through China is the wake-up call for all of us to get serious about addressing the massive and unacceptable vulnerability inherent in today's BGP routing architecture," Rob Joyce, the U.S. National Security Agency's senior adviser for cybersecurity strategy to the director, said via Twitter at the time.
The same month, the Australian government discovered that all traffic going to its Department of Defense websites was flowing through several of China Telecom's data centers, taking a path it wasn't meant to follow, in what may have been a case of BGP hacking. While it's not clear what happened, the inappropriate BGP routing lasted for nearly 30 months (see: Did China Spy on Australian Defense Websites?).
Cyber Espionage Campaign
DNS is also being abused for cyber espionage. In November 2018, Crowdstrike said it had spotted such a campaign targeting government domains in Lebanon and the United Arab Emirates. "We are naming it DNSpionage due to the fact that it supports DNS tunneling as a covert channel to communicate with the attackers' infrastructure," Crowdstrike said.
In January, FireEye documented a global DNS hijacking campaign "that has affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America," possibly sponsored by Iran.
As security blogger Brian Krebs has reported, one problem with attacks that utilize DNS is that few companies monitor for malicious DNS changes.
Woodward says that's a problem with BGP hijacking as well. While large, well-resourced organizations may quickly spot any such hijacking, service providers in small countries may not.
Domain Hijacking Defenses
Fixes for the security shortfalls in current BGP and DNS protocols exist, including Secure Inter-Domain Routing. But many organizations have yet to adopt them.
To block domain hijacking, organizations can adopt Domain Name System Security Extensions, or DNSSEC, which is an IETF suite of specifications designed to cryptographically sign data to verify that DNS data is valid. It also helps lock down account access and prohibits changes to a site's DNS settings by anyone who is not on a list of authorized users (see: Secure Domains: The DNS Security Debate).
"Many organizations have not protected their zones with DNSSEC because historically there has been a perception that it was difficult to implement and required a tradeoff in functionality," says Jonathan Sullivan, CTO of NS1, an intelligent DNS and internet traffic management technology company based in New York. "We know now with modern DNS this is not the case, but until this perception changes, organizations continue to prioritize the need for optimal performance over security, neglecting DNSSEC implementation."
Slow BGP Fix Adoption
To fix BGP, Sullivan says the security industry needs to bring authentication to bear on every layer of the internet.
To do that, he says organizations should primarily look to two protocols: Resource Public Key Infrastructure and BGPSec.
"RPKI provides a secure way to connect internet number resource information, such as IP addresses, to a trust anchor, and it ensures that updates are secure and authentic," he says. "BGPsec extends the RPKI by adding an additional BGPSec router certificate that binds public and corresponding private keys to validate and protect the routing path."
Both would be helpful for better securing internet users, but adoption has been tepid, he says, because they're only effective once adoption reaches critical mass. "I don't expect RPKI and BGPsec will see wide adoption until there's a seismic event - such as one with major financial damages or government or political implications. But once we reach critical mass, the benefits will be far reaching."
Organizations have also shied away from adopting the technology because it will require additional investment.
"In many cases, the hardware simply cannot support it, and replacing it for the new capabilities can be extremely costly. Consider the magnitude of replacing the majority of major ISP and NSP routers installed before 2010," Sullivan tells Information Security Media Group.
Pending some major catastrophe that drives a sudden rush of adoption, Sullivan says these factors appear unlikely to change soon. "As BGP hijacking attacks increase in volume and scope, so will the incentive to implement authentication-based routing protocols," he says.
"Unfortunately, it is the network services providers who must take action, not the attack victims," he adds. "I hope we will see some sort of industrywide drive to improve BGP security. This could be in the form of regulations and mandates or it could be that users - those who are the intended targets of these attacks - start requiring RPKI and BGPsec from ISPs, much like government agencies require DNSSEC from their providers."
NIST Issues Guidance
Last year, the U.S. National Institute for Standards and Technology announced a proposed project to test RPKI and BGP Origin Validation, which resulted in the release of guidance to "address and resolve the erroneous exchange of network routes."
NIST issued a cybersecurity practice guide, SP 1800-14 (PDF), "Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation." But using the guidance remains voluntary, even for federal agencies.
In June 2018, Andreas Reuter, an internet backbone security researcher, ran tests on behalf of APNIC, the regional internet registry administering IP addresses for the Asia Pacific. He found that adoption of Route Origin Validation was "expectedly bleak," counting only a few dozen network domains - specifically, autonomous systems - that had adopted it.
UK Active Cyber Defense
Other government-led efforts are underway to fix vulnerable internet protocols.
Britain's Active Cyber Defense program, launched in 2016, is designing and testing revised implementations of protocols such as BGP and Signaling System #7, although such efforts have not yet concluded (see: Failed Fraud Against UK Bank Abused Mobile Infrastructure).
"We're currently working with the U.K. telecommunications industry to stop the well-known abuse of the BGP and SS7 protocols to reroute traffic," Ciaran Martin, chief of the National Cyber Security Center, the public-facing component of intelligence agency GCHQ, said in 2016.
"This is about changing the implementation of [BGP], the protocol used to sort out IP routing between carriers, and SS7, the international telecoms signaling protocol, so that we can stop trivial re-routing of U.K. traffic and make some more bold statements," said Ian Levy, NCSC's technical director. "If the BGP work succeeds, we should be able to say that hijacking a U.K. prefix by BGP is harder."