From time to time, ships are blown off course, wrecked or, in the worst case, sink together with their cargo. The same can happen to the data that is sent over the Internet every day: It can deviate from its usual route and reach its destination in a big detour, but it can also end up with the wrong recipient altogether and thus be lost to the actual target – usually unintentionally, but in some cases also intentionally.
The reason for this is the insufficient security of the Border Gateway Protocol (BGP), which is responsible for navigating data packets on the Internet. Just as a compass needle can be disturbed and manipulated by a nearby magnet, the navigation data of BGP can also be influenced by intentionally or unintentionally incorrect destination information on the part of a nearby Internet Service Provider (ISP). Specifically, an ISP can use the BGP protocol to redirect certain data packets to itself, even if the actual recipient of the packets is not located in the network of this ISP. This process is known as BGP hijacking.
What Are the Risks?
If the misrouted data packets are not forwarded to the actual recipient by the ISP in question, BGP hijacking will result in Internet services becoming unavailable for a certain region or even worldwide. This happened, for example, in September 2020, when the ProtonMail mail service became inaccessible to 30% of the global Internet because data packets addressed to ProtonMail were mistakenly redirected via Australia’s largest ISP .
If the redirection of the data is intentional, the ISP in question can, with a bit of skill, forward it to the intended recipient without the sender or recipient knowing anything about it. Thus, if the ISP is under government control, BGP hijacking can also be used for signals intelligence (SIGINT), i.e., reconnaissance of foreign data flows. Even encrypted data can reveal useful information, such as the amount of data, the time it was sent, and the sender and recipient addresses.
How to Protect Against BGP Hijacking?
There is no complete protection against BGP hijacking without substantial changes to the current Internet. However, the following measures are recommended to reduce the likelihood and impact of an incident:
- Choosing an ISP that implements current best practices against BGP hijacking .
- End-to-end encryption of all data packets to be transmitted without exception to maintain data confidentiality and integrity.
- Use of modern and cryptographically secure encryption methods such as TLS 1.3 to make it difficult to break the encryption.
However, “data flow hijacking” can be prevented by using BGP-less Internet architectures, such as the Swiss-developed SCION , which has recently been deployed in the Secure Swiss Finance Network (SSFN) .
If you need advice or assistance in protecting your data flows or network infrastructure, feel free to contact the Oneconsult team at any time.
Mathias Blarer studied Computer Science at ETH Zurich and obtained his Master’s degree on the Information Security specialization track in November 2021. In his Master’s thesis, he designed a protocol for the negotiation of trustworthy communication paths between two hosts, based on the SCION Internet architecture. During his studies, he worked for a leading Swiss web application firewall (WAF) producer, where he was in charge of their own Bug Bounty program and also fixed the reported vulnerabilities. Mathias Blarer has been working as a Penetration Tester at Oneconsult since January 2022.