BGP hijacks to man-in-the-middle DNS servers

Abstract

The border gateway protocol (BGP) is what holds the internet together by making data routing possible between various points on the internet. It is used to exchange routing information between and within networks on the internet with the use of special BGP routers. This routing information consists of a network path and its destination (IP prefix), and is stored in the routers' local routing tables.

Once a pair of BGP routers have been set up, they implicitly trust routes that are shared amongst them. This implicit trust system poses a problem called BGP hijacking: a malicious actor that takes over control of a BGP router, can simply start announcing IP prefixes they do not own. This can lead to different routing paths and thus redirected network traffic, possibly to the infrastructure of the attacker.

In 2017 there were a total of 13,935 routing incidents, consisting of both inadvertent misconfigurations and deliberate IP prefix hijacks. Over 10% (6,000) of all autonomous systems (AS) were affected and about 5% (3,106) of all AS's were a victim at least once. Despite numerous possibilities that do exist in terms of securing BGP, these numbers show that BGP hijacks are still prevalent. As such, there is a lot of room for improvement in terms of preventing hijacks and mitigating their impact.

The aim of this research project was to provide a proof-of-concept framework to aid in performing threat intelligence. A methodology was developed in which the hijacked IP prefixes from BGP hijacks are used as a foundation to gather information about what domains lie in the scope of the impact. Features were determined and extracted from the data, to say something about what domains are more likely to have been targeted. The methodology could also be used as a framework for a real-time detection and response system, by maintaining a live dataset of the different indicators.

Reports of BGP hijacks were analyzed to identify hijacked prefixes. These were referenced against DNS servers to determine what DNS traffic was redirected. The NS records of those servers were then used to identify what domain queries were redirected. Multiple indicators were devised to indicate if domains might have been redirected. This included SSL certificates, DNS records, IP prefix resolutions, as well as the hosting AS's.

We believe this framework serves as a tool to be used for threat intelligence. It uses the basic ideas of BGP hijack detection to look deeper into the impact of such incidents. Instead of only looking at the hijacked prefixes themselves, the DNS servers and domains that are within the scope of the hijack are also considered along with what indicators they might present. If a BGP hijack takes place, it often takes multiple hours to get resolved. Afterwards, the incident is analysed and it is determined what happened. One of the reasons for this long winded process is that only a relatively small part of the internet is usually affected, so it takes a while before things get noticed. This framework could also be used as a foundation for a detection and response system, such that domains that might be targeted and redirected during such a hijack can act in time.

One important limitation of this research is the incompleteness of the available data. This could be solved by using more data sources and tracking data over time. Another issue in a real-time detection and response system would be the sparse visibility of BGP sensors. Adding other sensor networks could increase the covered surface area of the internet. Each indicator of compromise could be refined further, to better indicate malicious activity.