Border Gateway Protocol: A Decades-Old Vulnerability in Internet Traffic Routing
Erich Kron, a Security Awareness Advocate at KnowBe4, shares his commentary on border gateway protocol (BGP) and its ties to a decades-old vulnerability in Internet traffic routing. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.
When the Internet was first created, the original designers had no way of knowing what it would become or how it would evolve into what we know today. Because of this massive worldwide adoption, the Internet has grown rapidly and undergone incredible transformations in a relatively short time. However, since the Internet has changed so much in so little time, it is only natural that its evolution has left some significant gaps.
The lack of built-in security for the Internet has become a significant issue. In a time of ever-increasing cyber-attacks and an expanding threat landscape, few things are more concerning than the lack of a centralized, resilient identity and access control framework. When we log onto websites, emails, or other services, we’re not actually logging on to the Internet in any meaningful way. Instead, we’re logging into dozens or hundreds of fragmented networks. That’s because there is no centralized solution to manage identity and access. Instead, we must rely on services and websites to provide this management independently. This is why we end up with so many passwords and credentials.
While this is very inconvenient for individuals, it also results in significant vulnerabilities to the Internet. It is far too late to engineer and deploy the type of access security controls that could secure the Internet. The Internet’s core network routing technology, Border Gateway Protocol (BGP), is one such service with a huge vulnerability capable of bringing the Internet to its knees.
The BGP works quietly in the background and controls Internet traffic flow between over 74,000 Autonomous Systems (ASes). Most, but not all, ASes are Internet Service Providers (ISPs) that work together to ensure the most efficient flow of data across the Internet while remaining independent. The major vulnerability in this case is that ASes can publish Internet routing changes that could:
- Stop data from reaching certain websites,
- Redirect legitimate traffic to other websites,
- Affect large amounts of the Internet, all without requiring authentication of the Autonomous System or the fact that they control the network spaces they claim to.
This lack of authentication or authorization related to changing BGP records is a significant threat to the Internet as a whole. Whether BGP changes result from an accidental typo that reroutes the internet traffic or a malicious act by a hacker, the result is the same. It is mind-boggling to think that the Internet has functioned as long as it has with this vulnerability in place and without many significant issues occurring. When a core component of the Internet is managed by trusting that changes are correct and non-malicious, concern for the future is warranted.
Fortunately, technologies are being developed that can help with this problem. The most well-accepted yet greatly unused technology is Resource Public Key Infrastructure (RPKI). This technology uses certificates and encryption to validate the identity of a BGP route change. It can confirm that the requester controls the IP space related to the changes they are making. This works on the same type of technology that we use to secure website traffic and sensitive data. Unfortunately, its deployment can be complex, costly, and time-consuming and is not required or used by most ASes. The decentralized nature of the Internet, in that it is not being controlled by any single entity, nation, or organization, makes it impossible to enforce the adoption of this protocol.
It’s important to note that since the Internet continues to be a key aspect of government and military operations, the risk of BGP-based attacks continues to grow. This problem can no longer be ignored. ASes that have not adopted RPKI should consider adopting it now rather than waiting for an accidental or maliciously published BGP route to wreak havoc on people around the globe.
The good news is that, although not required, the adoption of RPKI has been increasing and will hopefully accelerate as more ASes adopt the technology in the future. This problem of securing internet routing traffic is gaining high-level attention. Recently, the White House released guidance on how to secure the BGP. Although it may be too late to secure the BGP properly, considering how long it has had this vulnerability, any incremental steps forward by the government are commendable.
The next step is for organizations and vendors to implement these guidelines or for the government to enforce best practices, at least on a national level. Hopefully, if the following steps are handled correctly, in a year or two, internet traffic routing will finally be more difficult to compromise.