TY - GEN
T1 - Global BGP Attacks that Evade Route Monitoring
AU - Birge-Lee, Henry
AU - Apostolaki, Maria
AU - Rexford, Jennifer
N1 - Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.
PY - 2025
Y1 - 2025
N2 - As the deployment of comprehensive Border Gateway Protocol (BGP) security measures is still in progress, BGP monitoring continues to play a critical role in protecting the Internet from routing attacks. Fundamentally, monitoring involves observing BGP feeds to detect suspicious announcements and taking defensive action. However, BGP monitoring relies on seeing the malicious BGP announcement in the first place. In this paper, we develop a novel attack that can hide itself from all BGP monitoring systems we tested while potentially affecting the majority of the Internet. The attack involves launching a sub-prefix hijack with the RFC-specified NO_EXPORT community attached to prevent networks with the malicious route installed from sending the route to BGP monitoring systems. While properly configured and deployed RPKI can prevent this attack and /24 prefixes are not viable targets of this attack, we examine the current route table and find that 38% of prefixes in the route table could still be targeted (see Sect. 4). We also ran experiments in four tier-1 networks and found all networks we studied could have a route installed that was hidden from global BGP monitoring. Finally, we propose a mitigation that significantly improves the robustness of the BGP monitoring ecosystem. Our paper aims to raise awareness of this issue and offer guidance to providers to protect against such attacks.
AB - As the deployment of comprehensive Border Gateway Protocol (BGP) security measures is still in progress, BGP monitoring continues to play a critical role in protecting the Internet from routing attacks. Fundamentally, monitoring involves observing BGP feeds to detect suspicious announcements and taking defensive action. However, BGP monitoring relies on seeing the malicious BGP announcement in the first place. In this paper, we develop a novel attack that can hide itself from all BGP monitoring systems we tested while potentially affecting the majority of the Internet. The attack involves launching a sub-prefix hijack with the RFC-specified NO_EXPORT community attached to prevent networks with the malicious route installed from sending the route to BGP monitoring systems. While properly configured and deployed RPKI can prevent this attack and /24 prefixes are not viable targets of this attack, we examine the current route table and find that 38% of prefixes in the route table could still be targeted (see Sect. 4). We also ran experiments in four tier-1 networks and found all networks we studied could have a route installed that was hidden from global BGP monitoring. Finally, we propose a mitigation that significantly improves the robustness of the BGP monitoring ecosystem. Our paper aims to raise awareness of this issue and offer guidance to providers to protect against such attacks.
KW - BGP
KW - BGP Monitoring
KW - Network Security
UR - http://www.scopus.com/inward/record.url?scp=105006431919&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=105006431919&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-85960-1_14
DO - 10.1007/978-3-031-85960-1_14
M3 - Conference contribution
AN - SCOPUS:105006431919
SN - 9783031859595
T3 - Lecture Notes in Computer Science
SP - 335
EP - 357
BT - Passive and Active Measurement - 26th International Conference, PAM 2025,Virtual event ,Proceedings
A2 - Testart, Cecilia
A2 - van Rijswijk-Deij, Roland
A2 - Stiller, Burkhard
PB - Springer Science and Business Media Deutschland GmbH
T2 - 26th International Conference on Passive and Active Network Measurement, PAM 2025
Y2 - 10 March 2025 through 12 March 2025
ER -