BGP Route Hijacking Prevention

Border Gateway Protocol (BGP) is a critical component of the Internet’s routing infrastructure, enabling communication between various Autonomous Systems (ASes) and ensuring the reliable delivery of data across the Internet. However, its design has several vulnerabilities that make it susceptible to attacks. One of the most dangerous is BGP route hijacking.

BGP route hijacking occurs when an AS maliciously advertises IP address prefixes that it does not own, causing the global routing table to route traffic through the attacker’s network. This can lead to traffic interception, man-in-the-middle attacks, data loss, or service disruptions.

We are going to look at methods and software to combat BGP route hijacking.

Here is our list of the best BGP route-hijacking software solutions:

  1. Prisma Cloud by Palo Alto Networks EDITOR’S CHOICE Comprehensive cloud security, real-time threat detection, and compliance monitoring ensuring robust protection across multi-cloud environments with advanced visibility.
  2. Cisco Crosswork Cloud BGPmon Live BGP hijacking detection and alerts, offering valuable insights for network administrators to secure routing protocols and prevent attacks.
  3. RIPE NCC Routing Information Service (RIS) Collects and archives BGP routing data, offering valuable insights for network performance analysis, anomaly detection, and global routing stability.
  4. RouteViews Collects and stores BGP data from global routers, offering network operators valuable routing information for troubleshooting, traffic analysis, and policy evaluation.
  5. Cloudflare’s BGP Monitoring Real-time alerts for BGP anomalies and route hijacks, leveraging its global infrastructure to enhance network stability and security.

Understanding BGP route hijacking

BGP is a path vector protocol that exchanges routing information between ASes. Each AS independently determines the best path for routing traffic to various destinations based on a set of policies and criteria. An AS can announce any route, regardless of whether it actually owns that prefix or has permission to advertise it.

A route hijacking attack typically follows this sequence:

  1. Malicious AS Advertises Prefixes: The attacker advertises prefixes (IP address ranges) that belong to another AS.
  2. Prefix Propagation: These malicious BGP announcements are propagated across the internet. As BGP relies on trust-based relationships, other ASes may accept these invalid route announcements without verification.
  3. Traffic Rerouting: Once the route is accepted, traffic intended for the legitimate owner of the prefix is redirected through the attacker’s network.
  4. Impact: The attacker can intercept, modify, or drop the traffic, leading to potential data breaches, denial of service (DoS), or loss of network performance.

This is the reason hijacking attacks are so effective. Malicious actors can exploit the lack of built-in security within BGP to manipulate BGP announcements. There are methods and software available to combat this security issue.

BGP Hijacking prevention methods

BGP route hijacking is a serious security risk that can lead to traffic interception, denial of service (DoS), and other malicious activities. Several methods have been developed to help prevent or mitigate BGP hijacking incidents by ensuring the authenticity of BGP route announcements.

1. Resource Public Key Infrastructure (RPKI)

RPKI employs a cryptographic framework to validate BGP route announcements, ensuring that only legitimate ASes can announce specific IP prefixes. By linking IP address blocks to a public key infrastructure, RPKI allows the use of Route Origin Authorizations (ROAs), which define which ASes are authorized to advertise specific IP address prefixes.

RPKI provides strong validation, ensuring that ownership of an IP prefix is verified before being accepted by other ASes. This process helps prevent unauthorized or malicious route advertisements.

2. Prefix filtering

With prefix filtering, routers only accept valid IP prefixes from peer ASes. This method restricts the prefixes that can be advertised. Network administrators can configure filters to block BGP updates that do not match the expected prefix ranges for each peer.

Only valid, known prefixes are propagated in the BGP routing table. This method helps prevent accidental or malicious advertisements of incorrect prefixes, although it requires careful planning and accurate configuration.

3. Route filtering

Route filtering goes beyond prefix filtering by allowing administrators to configure specific rules that define which ASes are allowed to announce certain routes. This technique enables more granular control over which routes are accepted and which are rejected.

Route filtering helps limit the potential for BGP route hijacking by controlling which peers are permitted to advertise specific routes. Routes are filtered based on origin ASes and other attributes.

4. BGP TTL Security Check (TTLSEC)

In BGP TTL Security Check (TTLSEC), incoming BGP packets have a Time-to-Live (TTL) value that corresponds to locally originated packets. If a BGP packet has a TTL value indicating that it is not locally originated, the packet is rejected.

TTLSEC prevents unauthorized BGP sessions, which could otherwise be hijacked by malicious actors attempting to inject false routing information. While effective, it may not be applicable for all scenarios, especially in larger, more complex networks.

5. BGP FlowSpec for DDoS mitigation

BGP FlowSpec allows network operators to distribute traffic filtering rules across networks via BGP. While BGP FlowSpec is primarily used for mitigating DDoS attacks, it can also play a significant role in BGP hijacking prevention.

FlowSpec will push specific traffic filtering rules to other BGP peers, blocking malicious traffic associated with a hijacked prefix. This can minimize the impact of route hijacks by preventing the attacker’s network from receiving traffic intended for other destinations.

6. BGP Route Origin Validation (ROV)

BGP Route Origin Validation (ROV) works in conjunction with RPKI and helps ensure that only legitimate BGP route announcements are accepted. ROV verifies the origin AS of a BGP route by cross-referencing the route announcement against trusted sources, such as the RPKI system.

When an AS announces a route, ROV ensures that the route matches the expected origin AS specified in the RPKI database. If a mismatch is detected, the route is rejected. This ensures that only valid routes are propagated across the internet.

BGP hijacking software solutions

In addition to the aforementioned preventive methods, several software solutions have been developed to actively monitor and protect against BGP hijacking incidents. These tools focus on detecting suspicious BGP activities, validating BGP route announcements, and providing network operators with the information necessary to respond quickly to potential threats. Below are some of the most effective BGP hijacking software solutions available.

1. Prisma Cloud by Palo Alto Networks

Prisma Cloud by Palo Alto Networks

Prisma Cloud is a comprehensive cloud-native security platform that offers a suite of tools for securing cloud infrastructures, including BGP route validation. It leverages RPKI integration to ensure that BGP route announcements are coming from trusted sources and that the advertised prefixes belong to the correct ASes.

Key Features:

  • Cloud-Native Security: Secures multi-cloud and hybrid cloud environments with visibility and control over data, applications, and workloads.
  • RPKI Integration for BGP Validation: Uses RPKI to validate BGP routes and prevent malicious BGP advertisements.
  • Real-Time BGP Monitoring and Anomaly Detection: Real-time monitoring and advanced analytics to detect BGP anomalies and hijacks.
  • Cloud Security Posture Management (CSPM): Continuously evaluates cloud infrastructure, identifying misconfigurations, compliance gaps, and security risks.
  • Automated Threat Detection: Uses machine learning to detect emerging threats like BGP hijacks, DDoS attacks, and malicious behaviors in real time.

Why do we recommend it? 

Prisma Cloud’s comprehensive cloud security and BGP monitoring capabilities, combined with RPKI integration and real-time anomaly detection, make it a reliable solution for preventing BGP hijacking and enhancing network security.

I found that Prisma Cloud monitors for BGP anomalies and provides a unified platform for managing network security. It will track BGP routing events and quickly respond to potential hijacks. The platform uses machine learning algorithms to detect and mitigate abnormal BGP behavior, adding an extra layer of security.

Who is it recommended for? 

Recommended for enterprises and cloud service providers looking for a unified security solution that integrates network routing protection with broader cloud security features in complex multi-cloud and hybrid environments.

Pros:

  • Vulnerability Management: Identifies vulnerabilities within containers, serverless functions, and virtual machines, prioritizing them for remediation.
  • Compliance Monitoring: Ensures cloud environments adhere to compliance standards like GDPR, HIPAA, and PCI-DSS.
  • Incident Response Automation: Automates responses to detected threats, including real-time mitigation for BGP hijacking or other network security issues.
  • Integration with Third-Party Tools: Creates a unified threat detection and mitigation framework by integrating with popular security and monitoring platforms.
  • Policy Enforcement and Visibility: Provides visibility into cloud infrastructure and enforces security policies to maintain a secure environment.

Cons:

  • Overhead for Smaller Environments: For smaller, simpler cloud environments, this tool’s extensive functionality may be overkill, resulting in unnecessary overhead.

2. Cisco Crosswork Cloud Network Insights (BGPmon)

Cisco Crosswork Cloud Network Insights (BGPmon)

BGPmon is now called Network Insights and is available on the Cisco Crosswork Cloud. This is a BGP monitoring and alerting tool that helps detect route hijacks and other anomalies. It monitors BGP routing data globally, identifies suspicious activities like prefix hijacks, and sends alerts to administrators when these events occur.

Key Features:

  • Global BGP Monitoring: Monitors BGP activity globally to detect potential hijacks, leaks, and anomalous behavior.
  • Real-Time Alerts: Sends immediate notifications about suspicious BGP activities, including route hijacks and prefix leaks.
  • RPKI Integration: Validates BGP routes using RPKI, ensuring that only authorized ASes announce routes to prevent malicious activities.
  • Historical Data Analysis: Stores BGP data historically for analyzing trends, past incidents, and identifying recurring issues.

Why do we recommend it? 

Cisco Crosswork Cloud Network Insights implements global BGP monitoring and real-time alerting capabilities, combined with RPKI integration, making it an excellent tool for proactively detecting BGP hijacks and route anomalies, ensuring network stability and security.

I noted that this package exploits RPKI to validate BGP announcements and ensure that only authorized routes are accepted. Administrators can define thresholds for abnormal routing behavior, ensuring that they are notified when routes deviate from normal patterns. This helps network operators detect hijacks before they cause significant damage.

Who is it recommended for? 

Ideal for network administrators and security teams looking for a specialized tool to monitor BGP routing and receive alerts about route hijacking or other anomalies to prevent disruptions.

Pros:

  • Detailed BGP Reports: Provides detailed reports of BGP updates and anomalies, helping operators understand potential threats.
  • Advanced Routing Anomaly Detection: Identifies unusual BGP events and anomalies, reducing the risk of undetected route hijacks.
  • API Integration: Allows seamless integration with other network monitoring or security systems through an API for automated responses.
  • Global Route Visibility: Offers access to routing data from different parts of the world, providing a complete view of global BGP activities.

Cons:

  • Dependency on External Data: The tool relies on external BGP data collectors, which may limit the accuracy or completeness of the information provided.

3. RIPE NCC Routing Information Service (RIS)

RIPE NCC Routing Information Service (RIS)

The RIPE NCC Routing Information Service (RIS) provides a global view of BGP activity by collecting and storing BGP routing data from numerous route collectors around the world. RIS allows network administrators to monitor BGP route propagation and detect hijacks or leaks by comparing routing data across multiple vantage points.

Key Features:

  • Global BGP Data Collection: Collects BGP data from over 200 global route collectors, providing a global perspective on BGP routing.
  • Historical BGP Data: Offers access to historical BGP data for detailed analysis of routing changes, BGP hijacking, and past incidents.
  • Route Hijack Detection: Helps identify BGP hijacks, misrouted traffic, and unauthorized route announcements.

Why do we recommend it? 

RIPE NCC’s Routing Information Service provides valuable insight into global BGP activities and historical data, helping network operators detect and analyze BGP hijacking incidents and route anomalies.

I learned that RIS provides a historical archive of BGP data, which can be invaluable for diagnosing past routing incidents and identifying patterns in BGP anomalies. It is used for analysis and reporting. RIS can also help detect and prevent BGP hijacking by identifying irregularities in routing behavior.

Who is it recommended for? 

Recommended for network researchers, administrators, and security professionals who require global BGP data to analyze routing issues, hijacking incidents, or to gain insight into routing trends for security and operational purposes.

Pros:

  • Public Access to Data: Provides free access to collected BGP data, useful for researchers and network operators.
  • Cross-Regional Data Comparison: Enables users to compare routing data across multiple regions for a better understanding of BGP activities.
  • BGP Routing Analysis: Facilitates the examination of routing policies and behavior, offering insights into routing trends and potential issues.

Cons:

  • Not a Complete Solution: While RIS provides BGP data, it doesn’t offer the full suite of features required for comprehensive security or threat mitigation.

4. RouteViews

RouteViews

RouteViews, operated by the University of Oregon, is a well-established BGP monitoring system that provides valuable data on BGP routing across the internet. Routeviews collects BGP data from more than 200 locations worldwide, enabling network operators to detect abnormal routing activities.

Key Features:

  • Real-Time BGP Monitoring: Offers up-to-the-minute updates on BGP route propagation and changes.
  • Global Data Collection: Collects BGP data from more than 200 locations globally, providing a comprehensive view of BGP behavior across the internet.
  • Historical BGP Data: Provides access to extensive historical BGP data for troubleshooting and understanding routing changes over time.

Why do we recommend it? 

RouteViews is an invaluable tool for real-time and historical BGP data collection, making it a top choice for analyzing BGP route hijacking events and monitoring network performance across global routes.

I discovered that by using RouteViews, network administrators can identify route hijacking incidents, misconfigurations, and other threats. Routeviews data allows operators to verify route propagation, track changes in routing tables, and detect unauthorized prefixes that may indicate a hijack.

Who is it recommended for? 

Ideal for network operators, engineers, and security professionals looking for free access to global BGP data for monitoring, analysis, and troubleshooting of route hijacking or routing anomalies.

Pros:

  • Prefix Hijack Detection: Helps identify unauthorized BGP prefix advertisements and route hijacking events that could disrupt network services.
  • Free Public Access: Free, publicly accessible service, allowing anyone to use the platform for BGP data collection and analysis.
  • Route Leak Detection: Detects BGP route leaks that could cause suboptimal routing, security vulnerabilities, or traffic interception.

Cons:

  • Basic User Interface: The platform’s user interface is functional but lacks the intuitiveness and design polish of more modern network monitoring tools.

5. Cloudflare’s BGP monitoring

Cloudflare’s BGP monitoring

Cloudflare offers BGP monitoring as part of its security suite, enabling real-time detection of BGP route hijacks and DDoS attacks. Cloudflare’s BGP monitoring service helps identify invalid BGP announcements and mitigates the risks posed by hijacks by continuously validating the authenticity of BGP routes.

Key Features:

  • Real-Time BGP Session Monitoring: Continuously monitors BGP sessions to detect anomalous activities or potential hijacks.
  • Integrated DDoS Mitigation: Pairs with Cloudflare’s DDoS protection services to mitigate any attacks that may target BGP sessions or related infrastructure.
  • BGP Hijack Detection: Actively monitors for BGP hijacks and malicious route advertisements, offering protection from these threats.

Why do we recommend it? 

Cloudflare’s BGP monitoring solution seamlessly integrates with its broader security services, providing robust real-time detection of BGP hijacks, traffic filtering, and DDoS mitigation to secure BGP routes effectively.

I observed that Cloudflare also provides enhanced BGP session protection and uses encryption to secure BGP sessions, reducing the risk of session hijacking. Its monitoring platform integrates seamlessly with other security tools, providing network operators with comprehensive insights into the health and integrity of their BGP routing tables.

Who is it recommended for? 

Recommended for organizations seeking integrated DDoS mitigation alongside BGP hijack detection and secure BGP session management, particularly those already using Cloudflare’s security infrastructure.

Pros:

  • BGP Session Encryption: Provides encryption for BGP sessions to safeguard against interception or tampering by unauthorized third parties.
  • Automated Incident Response: Responds automatically to BGP hijack attempts or anomalies by adjusting routing policies or blocking suspicious routes.
  • Traffic Filtering: Filters malicious traffic or attacks that may be redirected through hijacked BGP routes, ensuring high availability and security.

Cons:

  • Integration Challenges: Embedded in Cloudflare’s infrastructure, which doesn’t integrate well with the products of other brands.