The Internet’s Border Gateway Protocol is a key risk area which needs focus says ENISA
- Published: Tuesday, 21 May 2019 08:38
ENISA, the European Union’s network and information security agency, has warned that hijacking attacks aimed at the Border Gateway Protocol (BGP) are increasing, creating risks to the resilience of the Internet.
Last year ENISA surveyed a range of large and small providers across the EU, confirming that BGP hijacks are an issue: 44 percent of respondents said that the impact of BGP incidents is high, affecting large numbers of users and last for many hours, and 93 percent say it needs an urgent fix.
The Border Gateway Protocol is like a dynamic Internet route map, used by network operators to find the best route from one computer to another, across the globe; but it is 25 years old and was not designed with security in mind. The good news is that there are remedies, but unfortunately not all network operators are implementing.
BGP attacks are used for different purposes, ranging from financial crime targeting a few users for stealing crypto coins, to large scale espionage and can even be used to cause crippling internet outages. Today’s dependency on the Internet, increased usage, and an increase in the number and sophistication of cyber attacks, means that the risks of leaving BGP unsecured are very high.
ENISA makes the following recommendations for BGP security:
- Monitoring and detection: monitor the routes used by your Internet traffic to detect anomalies, not only to guarantee resilience but also for the privacy and security of subscribers;
- Coordination: it is crucial to coordinate with peers, by publishing route policies and partaking in peering databases;
- Prefix filtering: it is important to filter prefixes that should never be announced or forwarded in your network, both on ingress and egress network traffic;
- Path filtering: it is important to filter BGP AS path attributes for items that should not be allowed in BGP route announcements to into or out of your network;
- Bogon Filtering: it is important to filter out bogus prefixes (also called bogons), as these prefixes should never appear in BGP announcements;
- Time-to-live security (GTSM): it is important to implement TTL security, which makes it harder attack BGP sessions;
- Resource Public Key Infrastructure (RPKI): it is important to implement RPKI and digitally sign route announcements to allow peers to check that announcements are authentic and authorized.