Problematic protocol that directs all Web traffic finally gets attention

Security professionals have long overlooked Border Gateway Protocol, one of the most insecure parts of Internet infrastructure. But this year it was the subject of three talks at the Black Hat security conference in Las Vegas.

The Border Gateway Protocol is as important to the Internet as it is completely unrecognizable by most people that use it. But that’s starting to change.

Though most people have heard of HTML, it’s possible to use the Internet without it. Most people have never heard of BGP, but it affects all Internet traffic. And while huge movements of experts have moved to bring default security to the Web by increasing use of HTTPS encrypted communications, relatively few have campaigned for securing BGP – a protocol that’s been known to lack basic defenses since it was introduced 25 years ago.

It's even relatively anonymous in the security community. From 2007 to 2014, a total of two talks at the venerable Black Hat security conference dealt with BGP. This year's conference, which just concluded this year in Las Vegas, there were three.

"There has been a big movement around HTTPS, maybe there will be a movement around BGP next," says Wim Remes, a strategic services manager at the security firm Rapid7. He gave one of this year's BGP talks titled "Internet Plumbing for Security Professionals: The State of BGP Security." He delivered it to a packed room.

BGP is the protocol that routes traffic on the Internet. It was invented in 1989 and almost immediately outed as entirely unsecure. People have been trying to fix it since the 1990s. So far, no efforts have made a dent.

But now, with BGP increasingly being used as an attack vector, the security industry is beginning to look more seriously at how it can fix this long-ailing part of the Internet's infrastructure. 

“When we’ve been talking BGP in the past, all the events that caused damage were misconfigurations. In the past two years, it’s actually gotten malicious,” says Sharon Goldberg, an associate professor of computer science at Boston University.

In 2014, hackers used BGP to hijack a distributed Bitcoin mining operation, netting $80,000 in the process.  Even the notorious Italian spyware supplier Hacking Team, the subject of much scrutiny after its source code was leaked online, is reported to have used a BGP for digital attacks.

When the Internet was coming of age, it was often described as the "information superhighway." But it’s really more like the airways than roadways. Like air travel, Internet traffic requires multiple connections to get where it’s going, passing through a series of routers owned by corporations or countries that don’t necessarily allow direct links. BGP is the protocol that determines the best path is for data to find its destination.

With thousands of groups that have routers, getting the broad consensus needed for change is incredibly tough. Even so, many experts say that shouldn't be an excuse for not changing BGP. Currently, it has no mechanism to authenticate whether or not a router has access to a specific IP. And without authentication, it’s possible to reroute traffic to the wrong place, allowing an attacker to eliminate access to sites, or impersonate them.

BGP attacks require access to routers – it's not something angsty teenagers can do from their bedroom. But hacking threats have become better organized, and sometimes even state-sponsored, hackers are beginning to clear the very high bar for entry for this attack vector.

Even though attackers have only recently begun using BGP as a weapon, researchers have had solutions ready for nearly 20 years. "The problem is in adopting a solution," says Mr. Remes of Rapid7. “There are no incentives to adopt RPKI technology.”

The Resource Public Key Infrastructure (RPKI) is one of the most popular solutions. It allows the same organization that grants IP addresses to grant Route Origin Authorizations, which are secure certificates to authenticate proper access.

Fewer than 7 percent of websites can currently be verified with RPKI, including 3.5 percent of the Alexa top 500 sites, a ranking of the world's most popular websites. Remes estimates in a white paper that accompanied his talk that, at the current rate, it will take until 2020 for even half of IPs to be verifiable.

He hopes that, as soon as a few routers adopt RPKI, they will penalize peers who don’t with longer routing times and less access. Still, he says, it will be an even greater battle to get routers to incorporate RPKI checking services. 

“Until something is on fire, you don’t necessarily feel like you need to do anything,” says Jaeson Schultz, technical leader of Cisco’s Talos Security Intelligence and Research Group. 

Mr. Schultz is particularly excited about a major Black Hat announcement from the security network OpenDNS, which will start announcing BGP outages on Twitter (“Before us, no one announced large scale hijacks or outages,” says Dan Hubbard, chief technology officer of OpenDNS).

Schultz says he hopes the move will increase visibility of the problem, and ultimately shame those who control the backbone of the Internet into making a change. "We’re at this stage where other protocols are being worked on," Schultz says. “BGP never got the same love."