Role of US agencies limited in protecting against BGP hijacks, attacks on internet architecture

The fundamental resilience of the global internet is strong, but manipulation of the domain name system (DNS) and Border Gateway Protocol (BGP), denial of service attacks, supply chain exploitation and insiders can still threaten major disruptions, according to the Government Accountability Office.

In particular, the agency worries that BGP — which functions as the postal service of the internet, routing network traffic along the most efficient paths between devices — can be subject to both intentional and unintentional breakdowns that could lead to such traffic being misrouted or hijacked by a malicious party.

It’s not a new concern. The threats are more than hypothetical and even errors can result in significant disruptions or exposure of unintended traffic.

In 2015, a misconfiguration by Telekom Malaysia resulted in “significant packet loss and internet slow down in all parts of the world” as well as “severe service degradation between the Asia Pacific region and the rest of their network,” according to BGPMon.

A similar mistake by Nigerian Internet Service Provider Main One in 2018 wound up rerouting internet traffic to China Telecom, an incident that repeated in 2019 with Swiss data center colocation company Safe Host.

More recently, the Ukrainian Computer Emergency Readiness Team (CERT) has claimed that an unnamed bank was subject to a BGP hijacking attack in February.

 A panel of experts in 2021 concluded that under the status quo, less sophisticated, non-state actors are capable of disrupting or rerouting specific BGP providers or certain geographic regions, while some advanced persistent threat groups (APT) are capable of “more severe damage.”

Agency initiatives in securing internet architecture

While multiple federal agencies have worked on ways to improve the security and reliability of BGP, the report notes that their reach is limited as the government has gradually ceded its role overseeing internet architecture over the years to a collection of private and nonprofit stakeholders.

A National Science Foundation program called Secure and Trustworthy Cyberspace has funded a number of initiatives dedicated to BGP and DNS abuse, while the Future Internet Architectures program funds a variety of projects more generally dedicated to the security and resilience of the open internet. The National Institute for Standards and Technology is working to develop a consensus problem definition for unintentional BGP route leaks, model potential security improvements and develop prototypes, develop tools and measurements for early security adopters and develop guidance.

In 2020 Cyber Storm, an annual exercise led by the Cybersecurity and Infrastructure Security Agency (CISA), used scenarios involving intentional targeting of the internet’s backbone including BGP, DNS and signed certificate authorities, to test how federal, state and private stakeholders would respond. The attacks included simulated data breaches, phishing campaigns, traffic interception and attacks using ransomware and other malware.

Among the agency’s takeaways from the exercise was that “there was no perfect solution to the attacks” and that “players experienced the difficulty of identifying and addressing an attack, highlighting the value of a flexible approach to incident coordination and response and the importance of collaboration with partners like third-party vendors.”

More recently, the Federal Communications Commission, which regulates the internet and other communications, has asked the public for input on how to better protect BGP protocols from inadvertent and malicious redirections. Among the questions they’re seeking to answer is where Internet Service Providers, public Internet Exchange Providers, and providers of interconnected VoIP service have deployed BGP routers, what industry metrics exist for measuring the scope of and frequency of BGP security incidents, the effectiveness of current security mitigations like BGPsec extensions and what additional roles the FCC could take to ensure greater security for BGP and the internet ecosystem.

The commission flagged Russia in particular as a credible threat to undermine the overall integrity of BGP.

“Russian network operators have been suspected of exploiting BGP’s vulnerability to hijacking, including instances in which traffic has been redirected through Russia without explanation,” the agency wrote in a Feb. 28 Notice of Inquiry.