Great Article!
But I had a small question.
I understood what BGP is and how it can be hijacked but why would an ISP route it's external traffic to an untrusted advertiser ? Doesn't this become an ISP issue then ?
There is literally no way that an ISP could detect a BGP hijack as being anything other than a legitimate BGP route advertisement. The best one can hope for is that someone notices the discrepancy manually, and I think that's what happens in this case after a couple of hours.
The issue is twofold:
Firstly, validating each network advertised against the AS number it's advertised to is possible, but hard - the only way to do this would be to scan through the WHOIS database of RIPE, ARIN etc I think - though I warn you it's been a while since I did BGP for real, so it might be slightly easier than it was. Still, you can't detect it in realtime.
Secondly, an attacker can simply claim to have a legitimate route - in which case you're trying to guess whether AS10297 (in this case) really does have a route to Amazon, or whether it's just hijacking the traffic.
So no, this isn't something ISPs can prevent very easily at all. That said, I'm pretty sure that the IETF is working on increasing BGP security, so maybe something will come out of that.
Great Article!
But I had a small question.
I understood what BGP is and how it can be hijacked but why would an ISP route it's external traffic to an untrusted advertiser ? Doesn't this become an ISP issue then ?
There is literally no way that an ISP could detect a BGP hijack as being anything other than a legitimate BGP route advertisement. The best one can hope for is that someone notices the discrepancy manually, and I think that's what happens in this case after a couple of hours.
The issue is twofold:
Firstly, validating each network advertised against the AS number it's advertised to is possible, but hard - the only way to do this would be to scan through the WHOIS database of RIPE, ARIN etc I think - though I warn you it's been a while since I did BGP for real, so it might be slightly easier than it was. Still, you can't detect it in realtime.
Secondly, an attacker can simply claim to have a legitimate route - in which case you're trying to guess whether AS10297 (in this case) really does have a route to Amazon, or whether it's just hijacking the traffic.
So no, this isn't something ISPs can prevent very easily at all. That said, I'm pretty sure that the IETF is working on increasing BGP security, so maybe something will come out of that.
Thanks for taking the time and clarifying. I'll read up more on BGR now 😋