Routing Incidents as a Gateway for Cyberattacks

Along with NIC.MX, LACNIC has developed the FORT Project, which is implementing an RPKI deployment campaign in Latin America and the Caribbean in order to increase routing system security and resilience. Other organizations such as the Internet Society address this problem through MANRS, an initiative that provides solutions to reduce major routing threats. Their goal is to support both network operators (ISPs) and Internet exchange points (IXPs). This problem has even been part of the World Economic Forum’s agenda, which has addressed the topic and generated a report containing Cybercrime Prevention Principles for Internet Service Providers. The fourth of these principles, “Take action to shore up the security of routing and signaling to reinforce effective defense against attacks,” recommends the actions proposed by the MANRS initiative. Likewise, network operators such as Cloudflare, one of the largest global cloud infrastructure providers, has been promoting and deploying measures such as RPKI for years. Recently, they have said that “It’s time networks prevented leaks and hijacks from having any impact. It’s time to make BGP safe. No more excuses.”

But why are all these organizations so focused on securing the Internet routing layer? What are the consequences of not paying attention to this layer’s security?

First, it is essential to know which actors are involved and have an interest in causing these cyberattacks – which may not necessarily be direct attacks on the Internet routing system – to understand their main goals are and how routing layer vulnerabilities are a possible door to achieving them.

On the one hand, according to the report produced by the World Economic Forum, illegal online activities will have a cost of six trillion dollars by 2021. These activities are carried out by an enormous diversity of groups operating at a larger or a smaller scale and with various levels of sophistication. To get an idea of just how enormous their activity is as a whole, all we need to do is look in our personal email account’s spam folder to see the sheer number of malicious emails attempting to commit fraud on a mass scale.

On the other hand, many governments are trying to censor and control online activities. A large part of new Internet users, those who have recently started connecting or those who will connect for the first time in the near future, live in highly censored societies. Various studies have been able to prove the existence of institutional actions aimed at blocking certain types of content at different times. OONI (Open Observatory of Network Interference) is a project that aims to empower decentralized efforts in increasing transparency of Internet censorship around the world. Based on free software tools, they detect these blocks and generate a series of reports where they show when certain Internet users are being the victims of censorship.

In short, attacks include espionage, censorship and fraud, to name but a few. But how can an attacker exploit the routing layer to achieve their goals? Does this truly represent a risk?

Just as most Internet protocols, BGP was designed in the late 1980s, when only a handful of networks needed to be connected, a very different scenario than the one we are living in today. Back then, security was not a basic principle that needed to be considered, so the protocol was strongly based on a trust among the different parties. Today the reality is quite different. Now, with almost 100,000 autonomous systems, it is no longer possible to assume that all participants are reliable.

For instance, when we visit a website, both our device and the server hosting the website have an IP address that allows them to be identified. Data packets have an origin and a destination. In order to get from one end to the other, the packets will travel through various intermediate networks and autonomous systems, following routes that are generated based on BGP announcements.

When, either maliciously or due to an error, an autonomous system makes an incorrect announcement, it can cause traffic to be diverted towards them. Once traffic is redirected, it is possible to successfully carry out the attacks mentioned above.

Figure 1: Different types of cyberattacks that can result from a routing incident

While there are increasing efforts on the part of network operators to implement filtering and RPKI as well as other initiatives such as LACNIC’s FORT Project, a significant number of incidents continue to occur on a daily basis, and some of them even manage to have a significant impact on the Internet.

On 6 June 2019, more than 70,000 BGP routes were leaked from Swiss company Safe Host (AS21217) to China Telecom, which then announced them on the global Internet. This resulted in a massive rerouting of mobile operator traffic via China Telecom systems in Europe.

On 1^st April 2020, the largest Russian ISP — Rostelecom (AS12389) — was announcing prefixes belonging to prominent internet players including Akamai, Cloudflare, Hetzner, Digital Ocean, Amazon AWS, and others. The route was hijacked for approximately an hour and for a few minutes it affected major operators such as Cogent (AS174) and Level3 (AS3356), which then propagated these announcements globally. This caused inconveniences for a significant number of ISPs.

Figure 2: Evolution of routing incidents over the past few years (source: https://bgpstream.com/)

To learn more about the incidents that have had an impact on the Internet, you can check out the FORT Project diagnostic report, which also analyzes routing incidents and route hijacks that have occurred in recent years in the LAC region and explains in greater detail the different types of potential incidents with the BGP protocol and their causes.

Likewise, you can also take a look at FORT Monitor, a tool that presents data on the status of routing security in Latin America and the Caribbean and its impact on Internet end users in a simplified format. For example, it shows that over the past three months there have been five route hijacks affecting critical infrastructure.

Much has happened since that AS7007 routing incident in 1997. In practice, it is impossible to calculate the damages caused by routing attacks and issues, the number of hours that portals and Internet services remain unreachable, the money lost due to successful fraud attempts such as the Route53 hijack on Amazon DNS, or the immense amount of Internet traffic intercepted by unknown autonomous systems. Routing can no longer depend on the goodwill of its almost 100,000 autonomous systems, and infrastructure has matured thanks to the development of tools and best practices to mitigate this type of incidents.

Although the greatest efforts seems to focus on the security of the upper layers of the Internet, and while it is true that protection measures implemented in these layers such as end-to-end encryption reduce the impact of attacks on the network routing system, we cannot say that we have a secure and reliable Internet if network operators do not continue to work on strengthening the routing system.