Cybercriminals as well as nation-states increasingly have abused the Internet's underlying Border Gateway Protocol (BGP) traffic-routing fabric to hijack or disrupt networks for profit or political reasons. But sifting through the millions of normal and nefarious routing changes each day on the Internet is not something that most organizations have the know-how or tools to do.
BGP experts from OpenDNS at Black Hat USA next month will launch a new free BGP security alert feed via Twitter. The so-called BGP Stream tool will tweet out alerts on suspicious BGP/Autonomous System Number (ASN) updates and changes so network owners, ISPs, and hosting providers can keep abreast of malicious network changes that could hijack or otherwise disrupt their traffic.
"[There have been] three or four huge BGP attacks" in the past couple of years, says Dan Hubbard, CTO at OpenDNS. "BGP is the new black on the attacker side of things."
The latest BGP attack came to light courtesy of the data dump of the Hacking Team hack: the controversial security firm assisted the Italian military's Special Operations Group in regaining access to a remote access tool (RAT)-infected client machine via BGP hijacking.
OpenDNS's BGPMon service this week confirmed that BGP attack, information from which was dumped by Wikileaks: "This finding further confirms the use of BGP for nefarious purposes," including other incidents by spammers, said Andree Toonk, manager of network engineering at OpenDNS and founder and lead developer of BGPMon.net, in a post. "BGP hijacks can do serious harm and rapid notification of such an event is essential," says Toonk, who with Hubbard will present BGP Stream at a Black Hat talk in Las Vegas.
OpenDNS earlier this year acquired the BGPMon service, which runs a network of probes on the Net that spot BGP routing changes and issues alerts on attacks or suspicious activity. And Cisco Systems announced late last month that it plans to purchase OpenDNS for $635 million.
Hubbard says BGP Stream will issue alerts within minutes any routing attack takeovers and "instability" on the Net spotted by BGPMon's network of sensors. Aside from following the Twitter feed, organizations can also write to the Twitter API to pull that information internally. BGP Stream will publish information on which systems are affected by their ASN and name, for example, he says.
In a typical BGP attack, the attacker basically says, "I own that block of IP addresses" and waits to see which networks accept the phony BGP route information, according to Hubbard. Networks that accept the malicious routing update as legit then could send traffic to the hijacked IP addresses, he says."You announce an address space that's not actually yours, and make the router believe you're the best path" for data, thus hijacking it, he says.
Hubbard and Toonk also plan to announce some DNS Stream monitoring feed as part of the BGP Stream tool, according to Hubbard.
[Register now for Black Hat USA.]