•  Home
  •  Dashboard
  •  Company
    • About Us
    • Blog
    • Careers
    • Contact Us
    • Data Centers
    • Looking Glass
    • Network
    • Reseller
  •  Hosting Services
    • Infrastructure
      • iColocation
    • Compute
      • cMetal
      • cVirtual
    • Storage
      • sObject
      • sBlock
    • Networking
      • nCDN
      • nIP Transit
      • nWavelength
    • Protection
      • pBackup
      • pDDoS
  •  Solutions
    • Ecommerce
    • Finance
    • Gaming
    • Hosting
    • Management
    • Security
    • System Integrator
  •  Support
    • Community
    • Knowledge Base
    • Open A Ticket
  •  USA & Canada: 800-933-1517
  •  International: 626-549-2801
  •  Email: sales@psychz.net
  • Services
    • new-colocation-header-img
      Infrastructure
      • iColocation
    • new-compute-header-img
      Compute
      • cMetal
      • cVirtual
    • new-storage-header-img
      Storage
      • sObject
      • sBlock
    • new-networking-header-img
      Networking
      • nCDN
      • nIP Transit
      • nWavelength
    • new-protection-header-img
      Protection
      • pBackup
      • pDDoS
  • Solutions
    • Ecommerce
    • Security
    • Gaming
    • Hosting
    • Management
    • Finance
    • System Integrator
  • Dashboard

What is BGP Hijacking?

  • Home
  • Client
  • Qa Forum
  • What is BGP Hijacking?

Posted By: Garry | 1 Replies | Last Reply On: Sep 25, 2019 11:37:37

What is BGP prefix hijacking and how does it work?  How can one defend against BGP hijacking and prevent it form taking place in the first place? 

Is there a way to monitor it when bgp hijacking takes place? 

Psychz - Mahesh

Votes: 0Posted On: Sep 25, 2019 11:37:37
 

BGP hijacking often sometimes referred to as route hijacking, prefix hijacking, or IP hijacking is done by illegitimately taking over of groups of IP addresses by corrupting Internet routing tables maintained using the Border Gateway Protocol (BGP). Now before we understand how this is done, we will try to understand what BGP(Border Gateway Protocol) is. 

So what is BGP?

Border Gateway Protocol can be used by customers who need the ability to announce IP in different locations, withdraw IP and or prefix at a moments notice. BGP speaking routers exchange routing information through a series of BGP updates. An originating BGP router announces an IP address prefix to its attached neighbors, which in turn propagate the information to other routers until some target router learns about the prefix and a route to reach the destinations in that prefix.

What is BGP prefix Hijacking?

There are no authentic mechanism in BGP protocol to verify routes which leads to a vulnerability issue where any BGP router can announce any prefix as if it owns that prefix or even modify the route associated with a prefix. Most of the network operators configure BGP routers to develop a peering relationship with other Autonomous Systems with the purpose of exchanging routing information. However, they do not have control over who is allowed inside the BGP. Also, the BGP protocol itself does have the necessary mechanisms in place to authenticate prefix ownership (or the path to a specific prefix). A malicious entity may hijack the prefixes of other Autonomous Systems by either compromising a BGP speaking router or by participating in global routing themselves. In some cases, BGP hijacks happen due to misconfigurations.

Now let us understand how BGP Prefix Hacking is done

In a prefix hijacking attack, a BGP speaking router announces a direct route to prefix p that it does not actually own or is authorized to announce. The neighboring BGP speakers either accept this route and replace the current route they have for prefix p or may reject it during the route selection process. To better understand these attacks, consider the example shown in Figure-1. Here, router asn1 is announcing a prefix 27.1/19. The announcement propagates through the network and reaches router asn3, which installs a route for 27.1/19 and sets the next hop to asn2. Now suppose a malicious router asn4 wants to hijack 27.1/19; it simply announces a route for 27.1/19 to its neighbor asn3. Assuming asn3 has not set local policies for 27.1/19, asn3 will select the route for 27.1/19 based on the AS-PATH attribute. In this case, the route for 27.1/19 from asn1 has AS-PATH:, while the route for 27.1/19 from the adversary has AS-PATH:. Since the route from the adversary is shorter, router asn3 will select this route and forward any traffic to the destinations covered by 27.1/19 to router asn4.

Ways to Monitor BGP Hijacking

When the IP prefixes are hijacked, the connection might be redirected and discarded. In such a case, the detection of hijacking is an easy task since the service becomes unavailable. But sometimes during the attack, the data might be intercepted or modified and detection is not so straightforward because the connection is working. BGP hijacking, however, can still be detected since the BGP AS_PATH attribute gets changed. Moreover, network traffic takes the different (not optimal) path which leads to degraded performance and the increased round-trip time (RTT). Providers’ Looking Glass (LG) servers or Route Views are great tools to discover a change in the routing paths.

Traceroute
The traceroute tool prints the route packets take to a destination host. Internally, traceroute sends a series of messages (commonly ICMP) with IP TTL value set to the number of hops it wants to discover. Since the TTL expires upon reaching the target hop, the node at that hop will respond with an error message. This way, traceroute can figure out the path to a destination.

Netstat
The netstat command-line utility can be used to print the IP forwarding table of a host. It can also be used to print several useful information about a host's network activity, including listing active connections for each protocol, packet statistics and so forth. For more information about netstat and its options, check out man page (on any Linux machine): man netstat

Quagga
Quagga is a cross-platform routing software package which supports many routing protocols including RIP, RIPng, OSPFv2, OSPFv3, and BGP. Quagga can be installed on a general-purpose machine to turn it into a software-based router. Moreover, it provides a simple interface to setup static routing on a host. For this lab exercise, we are particularly interested in the BGP routing part of Quagga. Throughout the exercise, we assume Quagga as running on Ubuntu Linux.

Quagga stores its configuration files in /etc/quagga/ directory, and has a separate configuration file for each of the routing protocols it supports. For instance, the BGP routing configuration is stored in /etc/quagga/bgpd.conf. The configuration file /etc/quagga/daemons specifies which of the routing protocol daemons are enabled on the host (set to "yes" to enable a protocol). Quagga also supports a telnet interface to enter configuration commands in real-time. For example, the BGP instance can be configured in real-time by telnetting to localhost and specifying bgpd as the port number (bgpd is an alias to port 2605).

Few basic BGP prefix Hijacking prevention methods

Limit Maximum Prefixes
To avoid flooding BGP advertisements from a customer, we can control how many prefixes can be received from a neighbor. Once the neighbor sends more prefixes than a configured limit, the session will switch from Established to Idle (PfxCt).

Filter Default Route
Unless customers do not need a default route they should block it. Sequence 10 denies a default prefix. All other routes are matched and permitted by sequence 20.

Limit AS_PATH in Announced Prefixes
We can limit the AS_PATH in announced prefixes using BGP AS path filter. The regular expression ^$ in ACL statement matches empty AS_PATH thus it allows only locally announced prefixes being sent to ISP.

Announce Only Owned Prefixes
Now we create a prefix-list on a customer router that permits the announcement of only the assigned prefix 199.1.1.0/24. The list is applied toward the ISP router. All other prefixes are not being sent.

Was this reply helpful?

Related topics

  • Guide to establish a GRE Tunnel and BGP peering session on MikroTik RouterOS
  • Quagga Routing - Install, Configure and setup BGP
  • Theft of Cryptocurrency of MyEtherWallet users by BGP Hijack
  • What is BGP peering?
  • Dedicated Server in US East
  • Dedicated Server US East/Central with BGP
  • DDoS protection using BGP/GRE Tunnel
  • BGP with full routing tables
  • Firewalld commands for CentOS 7 and CentOS 8
  • Best Dedicated Server Providers In Dallas: A Comprehensive Guide
  • Best Dedicated Server Providers in Los Angeles: Top 10 List
  • Best 10Gbps Unmetered Dedicated Server In North America - Top 10 List
  • Psychz Features & Product Update For October 2023
  • Whitelisting Edge Server IPs
  • setup hourly crontab
Copyright © 2025 Psychz Networks,
A Profuse Solutions Inc Company
Hosting Services
Infrastructure
  • iColocation
Compute
  • cMetal
  • cVirtual
Storage
  • sObject
  • sBlock
Networking
  • nCDN
  • nIP Transit
  • nWavelength
Protection
  • pBackup
  • pDDoS
Company
  • About Us
  • Blog
  • Careers
  • Contact Us
  • Data Centers
  • Looking Glass
  • Network
  • Reseller
Policies
  • Acceptable Usage Policy
  • Privacy Policy
  • Service Level Agreement
  • Terms and Conditions
Support
  • Community
  • Knowledge Base
  • Open A Ticket
Get In Touch
  • Psychz Networks,
    A Profuse Solutions Company
    611 Wilshire Blvd #300
    Los Angeles,California 90017
    USA
  • US/Canada: 800-933-1517
  • International: 626-549-2801