Global BGP Attacks that Evade Route Monitoring

Henry Birge-Lee; Maria Apostolaki; Jennifer Rexford

doi:10.1007/978-3-031-85960-1_14

Global BGP Attacks that Evade Route Monitoring

Henry Birge-Lee, Maria Apostolaki, Jennifer Rexford

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

As the deployment of comprehensive Border Gateway Protocol (BGP) security measures is still in progress, BGP monitoring continues to play a critical role in protecting the Internet from routing attacks. Fundamentally, monitoring involves observing BGP feeds to detect suspicious announcements and taking defensive action. However, BGP monitoring relies on seeing the malicious BGP announcement in the first place. In this paper, we develop a novel attack that can hide itself from all BGP monitoring systems we tested while potentially affecting the majority of the Internet. The attack involves launching a sub-prefix hijack with the RFC-specified NO_EXPORT community attached to prevent networks with the malicious route installed from sending the route to BGP monitoring systems. While properly configured and deployed RPKI can prevent this attack and /24 prefixes are not viable targets of this attack, we examine the current route table and find that 38% of prefixes in the route table could still be targeted (see Sect. 4). We also ran experiments in four tier-1 networks and found all networks we studied could have a route installed that was hidden from global BGP monitoring. Finally, we propose a mitigation that significantly improves the robustness of the BGP monitoring ecosystem. Our paper aims to raise awareness of this issue and offer guidance to providers to protect against such attacks.

Original language	English (US)
Title of host publication	Passive and Active Measurement - 26th International Conference, PAM 2025,Virtual event ,Proceedings
Editors	Cecilia Testart, Roland van Rijswijk-Deij, Burkhard Stiller
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	335-357
Number of pages	23
ISBN (Print)	9783031859595
DOIs	https://doi.org/10.1007/978-3-031-85960-1_14
State	Published - 2025
Event	26th International Conference on Passive and Active Network Measurement, PAM 2025 - Virtual, Online Duration: Mar 10 2025 → Mar 12 2025

Publication series

Name	Lecture Notes in Computer Science
Volume	15567 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	26th International Conference on Passive and Active Network Measurement, PAM 2025
City	Virtual, Online
Period	3/10/25 → 3/12/25

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
General Computer Science

Keywords

BGP
BGP Monitoring
Network Security

Access to Document

10.1007/978-3-031-85960-1_14

Cite this

Birge-Lee, H., Apostolaki, M., & Rexford, J. (2025). Global BGP Attacks that Evade Route Monitoring. In C. Testart, R. van Rijswijk-Deij, & B. Stiller (Eds.), Passive and Active Measurement - 26th International Conference, PAM 2025,Virtual event ,Proceedings (pp. 335-357). (Lecture Notes in Computer Science; Vol. 15567 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-85960-1_14

Birge-Lee, Henry ; Apostolaki, Maria ; Rexford, Jennifer. / Global BGP Attacks that Evade Route Monitoring. Passive and Active Measurement - 26th International Conference, PAM 2025,Virtual event ,Proceedings. editor / Cecilia Testart ; Roland van Rijswijk-Deij ; Burkhard Stiller. Springer Science and Business Media Deutschland GmbH, 2025. pp. 335-357 (Lecture Notes in Computer Science).

@inproceedings{289cc99b1a844149b427dfd5d3b98edc,

title = "Global BGP Attacks that Evade Route Monitoring",

abstract = "As the deployment of comprehensive Border Gateway Protocol (BGP) security measures is still in progress, BGP monitoring continues to play a critical role in protecting the Internet from routing attacks. Fundamentally, monitoring involves observing BGP feeds to detect suspicious announcements and taking defensive action. However, BGP monitoring relies on seeing the malicious BGP announcement in the first place. In this paper, we develop a novel attack that can hide itself from all BGP monitoring systems we tested while potentially affecting the majority of the Internet. The attack involves launching a sub-prefix hijack with the RFC-specified NO\_EXPORT community attached to prevent networks with the malicious route installed from sending the route to BGP monitoring systems. While properly configured and deployed RPKI can prevent this attack and /24 prefixes are not viable targets of this attack, we examine the current route table and find that 38\% of prefixes in the route table could still be targeted (see Sect. 4). We also ran experiments in four tier-1 networks and found all networks we studied could have a route installed that was hidden from global BGP monitoring. Finally, we propose a mitigation that significantly improves the robustness of the BGP monitoring ecosystem. Our paper aims to raise awareness of this issue and offer guidance to providers to protect against such attacks.",

keywords = "BGP, BGP Monitoring, Network Security",

author = "Henry Birge-Lee and Maria Apostolaki and Jennifer Rexford",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.; 26th International Conference on Passive and Active Network Measurement, PAM 2025 ; Conference date: 10-03-2025 Through 12-03-2025",

year = "2025",

doi = "10.1007/978-3-031-85960-1\_14",

language = "English (US)",

isbn = "9783031859595",

series = "Lecture Notes in Computer Science",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "335--357",

editor = "Cecilia Testart and \{van Rijswijk-Deij\}, Roland and Burkhard Stiller",

booktitle = "Passive and Active Measurement - 26th International Conference, PAM 2025,Virtual event ,Proceedings",

address = "Germany",

}

Birge-Lee, H, Apostolaki, M & Rexford, J 2025, Global BGP Attacks that Evade Route Monitoring. in C Testart, R van Rijswijk-Deij & B Stiller (eds), Passive and Active Measurement - 26th International Conference, PAM 2025,Virtual event ,Proceedings. Lecture Notes in Computer Science, vol. 15567 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 335-357, 26th International Conference on Passive and Active Network Measurement, PAM 2025, Virtual, Online, 3/10/25. https://doi.org/10.1007/978-3-031-85960-1_14

Global BGP Attacks that Evade Route Monitoring. / Birge-Lee, Henry; Apostolaki, Maria ; Rexford, Jennifer.
Passive and Active Measurement - 26th International Conference, PAM 2025,Virtual event ,Proceedings. ed. / Cecilia Testart; Roland van Rijswijk-Deij; Burkhard Stiller. Springer Science and Business Media Deutschland GmbH, 2025. p. 335-357 (Lecture Notes in Computer Science; Vol. 15567 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Global BGP Attacks that Evade Route Monitoring

AU - Birge-Lee, Henry

AU - Apostolaki, Maria

AU - Rexford, Jennifer

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.

PY - 2025

Y1 - 2025

N2 - As the deployment of comprehensive Border Gateway Protocol (BGP) security measures is still in progress, BGP monitoring continues to play a critical role in protecting the Internet from routing attacks. Fundamentally, monitoring involves observing BGP feeds to detect suspicious announcements and taking defensive action. However, BGP monitoring relies on seeing the malicious BGP announcement in the first place. In this paper, we develop a novel attack that can hide itself from all BGP monitoring systems we tested while potentially affecting the majority of the Internet. The attack involves launching a sub-prefix hijack with the RFC-specified NO_EXPORT community attached to prevent networks with the malicious route installed from sending the route to BGP monitoring systems. While properly configured and deployed RPKI can prevent this attack and /24 prefixes are not viable targets of this attack, we examine the current route table and find that 38% of prefixes in the route table could still be targeted (see Sect. 4). We also ran experiments in four tier-1 networks and found all networks we studied could have a route installed that was hidden from global BGP monitoring. Finally, we propose a mitigation that significantly improves the robustness of the BGP monitoring ecosystem. Our paper aims to raise awareness of this issue and offer guidance to providers to protect against such attacks.

AB - As the deployment of comprehensive Border Gateway Protocol (BGP) security measures is still in progress, BGP monitoring continues to play a critical role in protecting the Internet from routing attacks. Fundamentally, monitoring involves observing BGP feeds to detect suspicious announcements and taking defensive action. However, BGP monitoring relies on seeing the malicious BGP announcement in the first place. In this paper, we develop a novel attack that can hide itself from all BGP monitoring systems we tested while potentially affecting the majority of the Internet. The attack involves launching a sub-prefix hijack with the RFC-specified NO_EXPORT community attached to prevent networks with the malicious route installed from sending the route to BGP monitoring systems. While properly configured and deployed RPKI can prevent this attack and /24 prefixes are not viable targets of this attack, we examine the current route table and find that 38% of prefixes in the route table could still be targeted (see Sect. 4). We also ran experiments in four tier-1 networks and found all networks we studied could have a route installed that was hidden from global BGP monitoring. Finally, we propose a mitigation that significantly improves the robustness of the BGP monitoring ecosystem. Our paper aims to raise awareness of this issue and offer guidance to providers to protect against such attacks.

KW - BGP

KW - BGP Monitoring

KW - Network Security

UR - https://www.scopus.com/pages/publications/105006431919

UR - https://www.scopus.com/inward/citedby.url?scp=105006431919&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-85960-1_14

DO - 10.1007/978-3-031-85960-1_14

M3 - Conference contribution

AN - SCOPUS:105006431919

SN - 9783031859595

T3 - Lecture Notes in Computer Science

SP - 335

EP - 357

BT - Passive and Active Measurement - 26th International Conference, PAM 2025,Virtual event ,Proceedings

A2 - Testart, Cecilia

A2 - van Rijswijk-Deij, Roland

A2 - Stiller, Burkhard

PB - Springer Science and Business Media Deutschland GmbH

T2 - 26th International Conference on Passive and Active Network Measurement, PAM 2025

Y2 - 10 March 2025 through 12 March 2025

ER -

Birge-Lee H, Apostolaki M , Rexford J. Global BGP Attacks that Evade Route Monitoring. In Testart C, van Rijswijk-Deij R, Stiller B, editors, Passive and Active Measurement - 26th International Conference, PAM 2025,Virtual event ,Proceedings. Springer Science and Business Media Deutschland GmbH. 2025. p. 335-357. (Lecture Notes in Computer Science). doi: 10.1007/978-3-031-85960-1_14