BGP Security Is in Black Hat's Cross Hairs

Border Gateway Protocol risks are being explored at the Black Hat USA security conference, with new tools set to debut to improve security and detection of BGP security events.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Black Hat

The Border Gateway Protocol (BGP) is a foundational component of the modern Internet, providing a mechanism by which carriers can share routing information for Internet traffic. As it turns out, BGP is at risk of manipulation by hackers, which is a topic that will be explored at the Black Hat USA security conference in Las Vegas this week.

Among the scheduled talks on BGP is one by OpenDNS Chief Technology Officer Dan Hubbard on Aug. 6. Hubbard's talk is titled "BGP Stream," which is the name of a new tool that he plans on publicly releasing this week.

"BGP is an old protocol, but it's a key way that we all get to where we want to go on the Internet," Hubbard told eWEEK.

OpenDNS, which itself is in the process of being acquired by Cisco Systems in a deal valued at $635 million, acquired a company called BGPmon in March. BPGmon's mission, Hubbard explained, is to monitor the Internet for BGP hijacking. BPGmon does this by placing sensors across approximately 100 strategic peering points around the world to collect information on BGP routing tables. Then, an analytics engine looks at differences in the routing tables to see what's going on and if there is a security risk.

With the commercial BGPmon service, OpenDNS enables an organization to monitor its own autonomous system (AS) numbers that are in BGP routing tables, providing alerts if those tables are being changed somewhere on the Internet. Hubbard said that until now, there has been no freely available central location where anyone could go to look at large-scale BGP hijacks or outages.

"So we're releasing a new service called BGP Stream which is a stream of all the big BGP table changes on the Internet, with some insight into why a given change is important," he said.

BGP Stream information will be publicly disseminated via a Twitter account (@BGPstream), which will programmatically tweet BGP changes. The tweets will include a link for more information on the given event. Hubbard added that an organization can also get access to the BGP Stream information via the Twitter API to be integrated into a dashboard.

BGP security monitoring is now a particularly interesting topic because of information contained in the recently leaked documents from Italian security firm Hacking Team, according to Hubbard.

"What Hacking Team did is they had a problem where some entity took over their IP space, which was used for their remote access Trojans," he said. "So they couldn't control their bots, so they used BGP to announce the address space back to key providers within a particular region."

The provider did not have any specific form of BGP filtering and took the routes announced by Hacking Team as being authoritative for how to get to the IP space, where the remote access Trojans were located, Hubbard said.

"So even though Hacking Team didn't have the transit rights to those IPs and the IPs were supposed to be going to another location, the Hacking Team-specified routes became the location where all the users were going," he said.

Hubbard emphasized that BGP is critically important because it can be used to manipulate entire routes of where people go on the Internet. Among the key challenges with BGP is the simple fact that it doesn't have a formalized approach for a fully encrypted and authenticated system to verify BGP information. In the DNS world, there is a technology known as DNSsec which does provide cryptographic integrity checking, but there isn't yet an equivalent for BGP.

"The latest version of BGP that the Internet runs on is BGP version 4, and it's over 10 years old and has changed little over the years," Hubbard said.

While there are risks, Hubbard noted that there are ways to protect against potential BGP hijacks, including filtering techniques, though in general, organizations listen to the routes that are broadcast from their upstream providers.

"There isn't a central authority for BGP information," he said. "So when an organization connects to its upstream provider, it's up to the organization to filter the information to understand who exactly the information is coming from and who is announcing the information."

The BGP Stream information isn't just about potential security events; Hubbard said it could also be used to track potential outages on the Internet. He noted that often whenever there is an outage on the Internet, the knee-jerk reaction from the media is that something was hacked.

"Knowing that there is a security incident is important, and also knowing when something is not a security incident is equally important," Hubbard said.

While BGP Stream will be a free public service, OpenDNS is still selling the commercial BGPmon service for those looking to monitor specific systems and get a higher level of real-time detail.

"BGP Stream provides free access to large-scale events, but we only have 142 characters on Twitter, so we're somewhat limited," Hubbard said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.