BGP - a network’s lifeline, Secure it!
Few days ago, a large BGP routing leak that occurred disrupted the connectivity for thousands of major networks and websites around the world.
Although this BGP routing leak occurred in an ISP's autonomous network (AS55410) based in Asia, but it has impacted several companies around the world.

Image Credit: Social Microblogging site - George tweet
Though issue existed for 10 odd minutes, but countless users around the world suffers internet connection problem.
BGP not Safe?
Before knowing if Border Gateway Protocol (BGP, a widely adopted protocol for Internet { Internetwork of networks}), we need to look what it is and risk associated with it.
What is BGP? BGP Hijacking & BGP Leaking
BGP
BGP or Border Gateway Protocol is the protocol used to exchange reachability information between networks and build a “roadmap” of the Internet – simply it is what makes the modern-day internet works.

BGP – A protocol for Internet
Issue with BGP
Over the Internet, different nodes (autonomous systems) advertise the pool of IPs (Internet Protocol) they manage and the traffic they are able to route and every network has a unique number allocated known as Autonomous System Number (ASN), used as a representation of that network.
BGP is fragile and does not embed any security protocols, without additional controls, this information of route accepted with mistakes can be intercepted or can be blackholed altogether.
Hijacking of BGP
BGP route hijacking occurs when a malicious entity manages to "falsely advertise" to other routers. During this, destined to your network is rerouted to a third party and stays there, creates trouble on the Internet and lead to delays, traffic congestion, or total outages.

BGP Hijacking
Image Credit: DE-CIX website
In the above figure, BGP routes are hijacking and routing towards the wrong network rather than going to the destination network.
BGP Leaking or BGP Route leak
In route leaking, traffic of your network is redirected to wrong path/network & likely flow in an inefficient way, which could lead to increased network latency and packet loss. Nevertheless, it will reach your network almost certainly if there is no critical network congestion due to some reason.

BGP Hijacking
Image Credit: https://laptrinhx.com/
In the above figure, Route is taking the longer path and reaching to destination (AS1) causing delay and service degradation
Leaking Vs Hijacking
The two main differences between both are described as:
Routes redirected through wrong ASNs/links (Route leaks), described as types 1-4 RFC 7908; Routes redirected to wrong ASNs (Hijack), described as types 5 and 6 RFC 7908.
Securing Network by securing BGP
Security of network is cricuical for maintaining network reliability, it is not a one-time task but an ongoing process, which should be continue
Some common safeguards that companies can use to protect against BGP leaks:
Deploy RPKI
Follow MANRS religiously.
Setting MAX PREFIX Limit
Configure Filters
RPKI
Resource Public Key Infrastructure (RPKI) authenticates BGP route announcements, currently, we have 800k+ routes on the Internet, it is impossible to check them manually. RPKI is a security framework method that associates a route with an autonomous system. It uses cryptography in order to validate the information before being passed onto the routers.

RPKI – In action
Image Credit: https://blog.cloudflare.com/rpki/
MANRS
Mutually Agreed Norms for Routing Security is a global initiative of network and IXP operators that provides crucial fixes to mitigate the most common threats to the Internet routing system.
It prevents basic exploits that rely on the insecurities of BGP. ISPs, Internet exchanges, cloud service providers, content delivery providers, research and education networks, and other large networks need to take action to implement MANRS guidelines for overall network security.

MANRS
Image Credit: https://www.manrs.org/
Max Prefix
It automatically disables a BGP connection when a downstream network suddenly starts sending an unexpectedly large number of BGP routes, which helps in avoiding issues later.
Filters are MUST!
Autonomous Systems should only announce legitimate routes. Filters need to be built in order to make sure only legitimate routes are accepted.
Whois database filtering is also a good option as it accepts prefixes only defined in the whois database but takes more time to converge like 24 hours
Bottom Lines
Take care of your BGP's configuration, it will take care of your Network & protect resources.
Complying with MANRS and leveraging RPKI are key steps towards achieving a better network security.
Article By: Bashir Ahmed Zeeshan


