Regulator Announces Border Gateway Protocol Security ReviewMove Follows Alleged Russian BGP Hijacking to Target Ukrainian Bank Before Invasion
Could a fundamental but poorly secured protocol that helps power the internet finally get needed improvements?
Border Gateway Protocol is one of a number of trusted protocols underpinning the accurate and reliable functioning of the internet. Simply put, BGP enables the internet to exchange routing information between autonomous systems, so that data gets where it's supposed to go. By distributing routing information, BGP enables routers to connect users with specific IP address prefixes.
"BGP is totally based upon trust at present, and if that is broken - by mistake or deliberately - then routing can be subverted."
Or at least that's the theory.
In practice, unfortunately - as with the domain name system - BGP was never designed with security in mind and regularly gets abused by nation-state attackers for cyberespionage (see: Criminals, Nation-States Keep Hijacking BGP and DNS).
Criminals also regularly target BGP for attackers aimed at bank customers or cryptocurrency exchanges and their users (see: Crypto Exchange KLAYswap Loses $1.9M After BGP Hijack).
"BGP and DNS are the soft underbelly of the web," Alan Woodward, a professor of computer science at the University of Surrey, told me in 2019. Little has changed since then.
"BGP is totally based upon trust at present, and if that is broken - by mistake or deliberately - then routing can be subverted," he said. "There are initiatives to try to secure BGP, such as Secure Inter-Domain Routing, but they will take a long time to be universal."
FCC Launches BGP Security Review
So it's welcome news that after security experts for years have been warning that BGP remains poorly secured and poses a risk, the U.S. government is finally taking a closer look.
The Federal Communications Commission on Monday announced that it has begun a security review of BGP and will soon open a 30-day period for comment.
The timing of the FCC's call for comments is auspicious, not least from a national security perspective, given that Russia reportedly used BGP hijacking against Ukraine last week.
"There's nothing like a war to get them listening," Woodward says.
Ukraine's computer emergency response team, CERT-UA, reported seeing BGP hijacking attacks less than 24 hours before Russian troops invaded on Feb. 24, at the same time Ukrainian government and banking systems were being hit by distributed denial-of-service attacks.
"Around the same time of the DDoS attacks … CERT-UA asserted that there was a BGP hijacking attack against a Ukrainian bank," Cisco Talos says. "This potentially allowed traffic that was intended to reach the bank to reroute temporarily to another destination."
Russia's BGP Hijacking Expertise
If so, this wouldn't be Russia's first BGP hijacking rodeo.
"Russian network operators have been suspected of exploiting BGP's vulnerability to hijacking, including instances in which traffic has been redirected through Russia without explanation," the FCC says in its BGP security review announcement.
"In late 2017, for example, traffic sent to and from Google, Facebook, Apple and Microsoft was briefly routed through an Internet service provider in Russia," it says. "That same year, traffic from a number of financial institutions, including MasterCard, Visa, and others was also routed through a Russian government-controlled telecommunications company under 'unexplained' circumstances."
There are ways to strengthen BGP to avoid these types of "unexplained" situations, including the Internet Engineering Task Force's Secure Inter-Domain Routing initiative, which is designed to create infrastructure that would allow an entity "to verifiably assert that it is the legitimate holder of a set of IP addresses or a set of Autonomous System (AS) numbers." But many organizations have yet to adopt this.
Security Fixes Available
Two other protocols that could help fix BGP are Resource Public Key Infrastructure and BGPsec, as Jonathan Sullivan, CTO of NS1, an intelligent DNS and internet traffic management technology company based in New York, has told me.
"RPKI provides a secure way to connect internet number resource information, such as IP addresses, to a trust anchor, and it ensures that updates are secure and authentic," Sullivan said. "BGPsec extends the RPKI by adding an additional BGPsec router certificate that binds public and corresponding private keys to validate and protect the routing path."
While both could help, that wouldn't happen until adoption hits a critical mass, Sullivan said.
The FCC's move, however, could inject much needed urgency into the BGP security discussion.
"The FCC is demonstrating a commitment to network security, and with further support from the agency, the backbone of the internet can be strengthened and safeguarded quickly and thoroughly," says Ryan Davis, CISO of NS1.
What's his best-case scenario? "To best protect communications networks from vulnerabilities, the FCC should establish unified standards for BGP security, which would include promoting the hardening of systems," he tells me. "This would allow for broad, consistent enforcement of and adherence to the safest security practices."
But he says such standards would have to be made mandatory. "The timeline for seeing measurable improvements is tied to the strength of enforcement," he says. "Requesting that providers follow a standard may result in some effectiveness, but to see widespread adoption, imposing fines for noncompliance with a reasonable and achievable deadline is far more likely to gain traction."
More Secure BGP Ahead?
Time and again, widely used, essential but poorly secured internet protocols continue to pose a massive security risk to all. Hopefully, the FCC's BGP security review will gain steam and help leave us with one less core internet component that can too easily be exploited.