BGP Hijinks and Hijacks - Incident Response When Your Backbone Is Your Enemy

The Border Gateway Protocol (BGP) is used to route packets across the Internet, usually at the level of the Internet backbone where Internet Service Providers (ISPs) pass traffic amongst themselves. Unfortunately, BGP was not designed with security in mind, like many of the protocols used in modern networks such as the Internet. Lack of security within BGP means that traffic is susceptible to misdirection and manipulation through either misconfiguration or malicious intent. Among the traffic manipulation possible within BGP routing is Autonomous System (AS) path injection, in which a new router can insert itself into the routing path of traffic. This can create a man-in-the-middle condition if the path injection is malicious in nature. Differentiation between a malicious incident and mere misconfiguration can be extremely challenging. Even more difficult for an affected company is to conduct incident response during a BGP-related incident. This paper explores the incident response options currently available to security teams to prevent, detect, and where possible, respond should a BGP incident arise.