RPKI: A Crucial Security Framework for BGP Routing

Main Points

6 Min Read |16 March 2023 | Key Words:

Devastating BGP Hijacking: Hackers Take Down Amazon DNS, Steal $160K in Cryptocurrency

In April 2018, malicious hackers announced some IP prefixes belonging to Amazon Web Services. The result was that users attempting to log into a cryptocurrency site were redirected to a fake version of that site. The users entered their credentials, unknowingly depositing over $160,000 directly into the hackers’ wallets. Essentially, this incident was a BGP hijacking in which the hackers exploited BGP vulnerabilities to commit the crime.

BGP Hijacking is Achilles’ Heel of Internet Security

The internet is a vast network made up of many interconnected Autonomous Systems (AS). To ensure the seamless transfer of IP packets between these systems, an essential routing protocol called the Border Gateway Protocol (BGP) is used. However, cyber attackers can exploit vulnerabilities in BGP routing or compromise a BGP router to manipulate routing information, leading to a BGP hijacking attack. Such attacks can have severe consequences as attackers can redirect internet traffic to unintended destinations, intercept data, or redirect traffic to malicious sites for nefarious purposes, including DDoS attacks or phishing.

图片-BGP

Revamp Your Network Security: Unleash the Power of These 3 Top BGP Record Checking Tools

  • RIPEstat is a large-scale information service and the open data platform of RIPE NCC. Users can access information about BGP records such as IP address space and Autonomous System Numbers (ASNs), as well as relevant statistics on specific hostnames and countries.
  • APNIC NetOX is a set of tools designed to analyze both your network and other networks in order to resolve routing issues and make better-informed decisions. For example, you can use it to find routing information for deciding which other networks to connect to.
  • Hurricane Electric is a global Internet service provider offering internet transit, network applications and tools such as BGP record checking.

RPKI Is the Way to Secure BGP Routing

The Security Risks of BGP’s Trust-Based Protocol

The Border Gateway Protocol (BGP) was designed in 1989 when internet security was not a major focus. BGP was originally developed as a trust-based protocol without built-in security measures, requiring network operators to trust each other to secure their systems. Also, autonomous systems have to trust the routes shared with them without checking if the provided paths are safe. Therefore, these factors leave a lot of insecurity about BGP.

RPKI – A Stronghold Against BGP’s Vulnerabilities and Security Challenges

To prevent route hijacks and leaks within the internet’s routing infrastructure supported by the BGP, the Resource Public Key Infrastructure (RPKI) framework was introduced in 2012 by Internet Engineering Task Force (IETF). RPKI is a specialized Public Key Infrastructure (PKI) framework that supports improved security for the Internet’s BGP routing infrastructure. Some routing problems of BGP, like human error and malicious attacks, could be solved well with RPKI.

  • RPKI plays a crucial role in preventing malicious attacks such as route hijacking. A route hijack is either a malicious or accidental unauthorized route origination, resulting in critical outages or fraudulent traffic manipulation. For example, during a large-scale attack reported on February 3, 2022, hackers stole approximately $1.9 million from a South Korean cryptocurrency platform KLAYswap.
  • Human error is also a significant security concern in RPKI. Over 5% of the records in RPKI repositories conflict with legitimate long-lived BGP announcements and around 30% of the records are misconfigured.

图片-RPKI意识形态图

The Power of RPKI: How It Secures Internet Routing

The Risk of BGP Hijacking Without RPKI

BGP serves as the bridge between autonomous systems (AS) and is responsible for selecting the most efficient path for data to travel across the internet. However, because of BGP’s reliance on routing information published by AS, there are no real safeguards in place to prevent a malicious AS from announcing a route to IP prefixes that it does not control. Specifically, a BGP hijack occurs when an AS advertises a prefix that is not its own, causing the fake AS or IP address to be treated as the real one. This can lead to data being redirected to unintended destinations, resulting in service disruption, data loss, or theft. For example, in the following diagram, hackers intercept traffic from 10.0.0.0/24 through BGP hijacking.

图片-BGP劫持

RPKI Encourages the Security of BGP Routing

To address this vulnerability, the Resource Public Key Infrastructure (RPKI) was developed as a security framework for BGP routing. RPKI verifies the association between specific IP addresses or autonomous system numbers (ASNs) and the resource holders. Specifically, RPKI uses Route Origin Authorization (ROA) certificates to verify the origin of the route announcements made by the resource holders. By validating the authenticity of IP addresses and ASNs, RPKI helps to prevent BGP hijacking.

When a BGP update is received, RPKI is consulted to verify the validity of the advertised IP prefixes and ASNs. If the IP prefix or ASN does not match the information provided in the ROA certificate, RPKI will reject the update. This mechanism prevents the propagation of false routing information and helps to ensure the integrity of BGP routing. For example, in the following diagram, hackers can’t intercept traffic from 10.0.0.0/24 because of IPKI and RoA.

In summary, RPKI serves as an important security framework for BGP routing, providing an effective defense against BGP hijacking. By verifying the authenticity of IP addresses and ASNs, RPKI helps to ensure that BGP updates are legitimate and that routing information is accurate and reliable.

图片-RPKI,ROA防范BGP劫持

Embracing RPKI: A Path to a Safer Internet

In recent years, the Resource Public Key Infrastructure (RPKI) has gained popularity due to the increasing frequency of cyberattacks targeting businesses and individuals. More and more Internet Service Providers (ISPs) and other IP resource holders adopt RPKI to make the routing more secure and prevent malicious acts. Naturally, they are the ones who contribute to mitigate route leaks and protect the end users’ data.

Some of large ISPs, cloud providers, streaming services and other companies have already started adopting RPKI actively. For example, Hurricane Electric did that back in 2020. Google has even managed to register 99% of routes in the RPKI. As a result of wider RPKI adoption, RIPE NCC reported a 26% growth in RPKI certificates during 2021.

We trust, the more industry players start adopting RPKI, the safer the internet will be. With a continuously growing list of companies embracing RPKI, the percentage of adoption is expected to keep climbing.

And IPv4Superhub will continue to contribute to safer network routing by widely implementing RPKI in the IP marketplace.

Leave a Replay

About Us

Founded in 2018, IPv4 Superhub is an innovative and trust-worthy company providing IP address brokerage services.

Linkedin Twitter Facebook-f Instagram

Recent Posts

Follow Us

Summarize

Sign Up for Newsletter

Our blog offers valuable insights and information on all things IPv4-related, and our brokerage platform provides a safe and reliable space to conduct transactions. Sign up now to gain access to our network and stay up-to-date with the latest news and trends in the world of IPv4 addresses.

Translate »