BGP Hijacking Simulation
"Understanding the mechanics of Border Gateway Protocol exploitation through laboratory-controlled prefix advertisements."
BGP Hijacking Simulation
Border Gateway Protocol (BGP) is the routing protocol of the internet. It is based on trust, which makes it inherently vulnerable to "hijacking"—where an AS (Autonomous System) falsely advertises a prefix it doesn't own.
The Trust Problem
BGP was designed in an era where internet participants were few and trusted. An advertisement from a peer is generally accepted as true unless specific filters are in place.
Types of Hijacks
- Exact Prefix Match: Advertising the exact same prefix as the victim.
- Sub-Prefix Match: Advertising a more specific prefix (e.g., /24 vs /16), which takes precedence in routing decisions.
Laboratory Simulation Setup
In a controlled environment (using GNS3 or FRRouting), we can simulate a hijack.
# FRRouting configuration for the attacker
router bgp 65001
bgp router-id 10.0.0.1
address-family ipv4 unicast
network 8.8.8.0/24 # Hijacking Google's DNS prefix
exit-address-family
Propagation and Impact
Once the malicious prefix is advertised, it propagates to adjacent ASes. If the attacker has "shorter" paths or more specific routes, traffic for the hijacked prefix will flow to them.
!WARNING BGP hijacking can be used for mass traffic interception, DoS, or even "black-holing" entire countries.
Modern Defenses
RPKI (Resource Public Key Infrastructure)
RPKI allows ASes to cryptographically sign their prefix advertisements. Peers can then verify the ROA (Route Origin Authorization).
BGPsec
An extension to BGP that provides path validation, ensuring that the entire path of the advertisement is authentic.
Monitoring for Hijacks
Operators should use tools like BGPStream or Cisco's BGP Monitoring Protocol (BMP) to detect anomalous route changes in real-time.