Standard to protect against BGP hijack attacks gets first official draft

NIST and DHS project publishes first draft of new BGP Route Origin Validation (ROV) standard that will help ISPs and cloud providers protect against BGP hijack attacks.
Written by Catalin Cimpanu, Contributor

Work that started last October on securing the protocol that binds the Internet together is finally yielding results.

This week, a department called the National Cybersecurity Center of Excellence (NCCoE) at the US National Institute for Standards and Technology (NIST) published the first draft of a security standard that will secure the Border Gateway Protocol (BGP).

BGP is the primary protocol that internet service providers (ISPs), hosting providers, cloud providers, educational, research, and national networks use to send traffic between each other's networks, linking together the small networks that make up the bigger Internet.

Also: Worries arise about security of new WebAuthn protocol

The BGP protocol was designed in the 1980s, and the last major revision to the protocol was made in 1995, long before security became an issue for internet traffic.

Since then, bad actors have been abusing the BGP protocol to trick smaller networks into sending chunks of traffic meant for other networks to the wrong place, allowing the bad actors to intercept, sniff, or modify traffic before sending it to its intended destination.

Such attacks are commonly referred to as BGP hijacks, and in recent years, they have become a serious problem, being at the heart of several major security incidents.

Also: Best Home Security Devices for 2018 CNET

For example, at the end of July, this year, Telegram traffic from around the world took a detour through Iran, all thanks to a BGP hijack.

In April, attackers used a BGP hijack to reroute traffic meant for a major Amazon Web Services (AWS) service, just so they could pull off a mundane phishing attack against an Ethereum wallet site.

In December 2017, a Russian ISP provider BGP-hijacked web traffic meant for big-name sites belonging to Google, Facebook, Apple, and Microsoft. This came after another Russian ISP previously BGP-hijacked traffic for Visa, MasterCard, and Symantec, just eight months earlier.

In August 2017, an error on Google's part led to a BGP hijack that led to a country-wide outage in Japan.

These are just a fraction of the BGP hijacks reported in the past years, and there are plenty more. [1, 2, 3, 4, 5, 6]

Also: US government releases post-mortem report on Equifax hack

Back in October 2017, two US government agencies, the aforementioned NIST and the Department of Homeland Security (DHS) Science and Technology Directorate, started a joint project named Secure Inter-Domain Routing (SIDR) with the explicit purpose of securing the BGP protocol from such attacks.

"The overall defensive effort will use cryptographic methods to ensure routing data travels along an authorized path between networks," the NCCoE at NIST said in a press release at the time.

"There are three essential components of the IETF SIDR effort: The first, Resource Public Key Infrastructure (RPKI), provides a way for a holder of a block of internet addresses--typically a company or cloud service provider--to stipulate which networks can announce a direct connection to their address block; the second, BGP Origin Validation, allows routers to use RPKI information to filter out unauthorized BGP route announcements, eliminating the ability of malicious parties to easily hijack routes to specific destinations. The third component, BGP Path Validation (also known as 'BGPsec'), is what is described in the suite of draft standards (RFCs 8205 through 8210) the IETF has just published."

Note: RPKI is a product of the IETF's SIDR Working Group, not NIST or DHS, but they were included and are now part of the final NIST&DHS SIDR project.

Also: How US authorities tracked down the North Korean hacker behind WannaCry

Earlier this week, the NIST and DHS teams published their first draft of the BGP Route Origin Validation (ROV) standard.

"The example implementation described in this guide aims to protect the integrity and improve the resiliency of Internet traffic exchange by verifying the source of the route," NIST said in a press release this week.

"Our standards-based example solution uses commercially available products and can be used in whole or in part. It can also be used as a reference to help an organization design its own, custom solution."

Also: 7 tips for SMBs to improve data security TechRepublic

The draft is open for comments from the general public and private sector until October 15, when it will move on to obtaining approval from the IETF (the Internet Engineering Task Force), the organization that approves Internet-wide standards.

Standards for the other two SIDR protocols --BGP RPKI and BGPsec-- have already been published on the IETF website as RFC 8210 and RFC 8206.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Editorial standards