Types of BGP Attacks
- Denial of service. An attacker can black-hole portions of the Internet either by creating false routes or by killing valid ones.
In the case of YouTube, according to an analysis by Iljitsch van Beijnum, its legitimate prefix is 126.96.36.199/22, meaning the range of addresses from 188.8.131.52 to 184.108.40.206. Pakistan Telecom black-holed YouTube simply by injecting a route that pointed to a small portion of this address block, 220.127.116.11/24 (18.104.22.168 to 22.214.171.124) where YouTube had no hosts.
This caused much of the Internet's routing tables to hold two ways to reach YouTube—one legitimate, the other bogus. When the bogus route failed, it would seem reasonable for a router to try the other route. The problem is that today, when confronted by one route that maps to a subset of the other (a sub-prefix), most border routers are configured to choose the sub-prefix, and kill the prefix, regardless of the consequences.
As noted above, an attacker may also kill valid routes by sending forged packets.
- Sniffing. This requires control of a device along the path of the victim's communications. The attacker can achieve this by using BGP to detour traffic through a malicious network.
- Routing to endpoints in malicious networks. The first step is to hijack traffic away from a legitimate host and redirect it to a host controlled by the attacker. The next move in this game is to change these false route advertisements frequently. This makes it harder to detect phishing sites, futile to black-hole spam servers, and hampers law enforcement.
- Creation of route instabilities. On October 3, 2002, the UUNet segment of WorldCom's backbone suffered major outages. Later, analysts concluded that this was simply an episode of the unintentional routing instabilities that plague the Internet.
Because the causes remain poorly understood, they may blow back upon the attacker. This may deter cyberwarriors from triggering instabilities. But what if script kiddies ever popularize this means of having fun?
- Revelation of network topologies. Every BGP-enabled router possesses all the routing information of the Internet, knowledge useful for criminal operations and waging cyberwar. In theory, BGP keeps the policies underlying these interconnections private. However, most relationships among ASes are as peers (which exchange traffic at no charge to each other), customers, or providers. With patience, an attacker can use the routing table to unmask these relationships.
Researchers say that it's unnecessary to propagate all this data promiscuously. Unfortunately, no change in BGP to guard this information is imminent.