Introduction

BGP hijacking involves illegally redirecting internet traffic from its intended path by manipulating the Border Gateway Protocol (BGP), which exchanges routing information between different networks. In a BGP hijacking attack, an attacker advertises false routing information to routers on the internet, causing traffic to be routed through their network. This can be done for malicious purposes, such as intercepting sensitive data or launching a denial-of-service attack. BGP hijacking can have serious consequences, as it can disrupt internet connectivity and compromise the security and privacy of user data.

BGP hijacking is an attack that undermines IP-based defense systems. When an attack occurs, all traffic directed to the hijacked destination IP is routed to an arbitrary location specified by the attacker, incapacitating all existing defense mechanisms.

This hands-on training session will use fully open-source-based intelligence and command-line analysis tools to identify and visualize BGP hijacking incidents in any network. After taking this training, trainees are supposed to carry out the BGP hijacking detection process when suspicious activity occurs.

To reduce the time wasted in environment settings, trainees are supposed to prepare notebooks with WSL/LINUX/OSX terminals and network connections.

Training Details

This training program uses real-world data that has not been artificially modified or generated. The skills acquired in this training can be immediately applied to all networks. The training provides expertise in threat modeling, visualization, and detection methods through case studies of significant historical BGP hijacking incidents.

Data Source

The data used in this course is broadly divided into two categories. To analyze BGP communications, we use archived data provided by the University of Oregon RouteViews Archive Project from 2001 to the present. We utilize data from regional Internet address registries to verify IP address variability.

Regional Internet Address Registries Data

• https://ftp.apnic.net/stats/apnic/delegated-apnic-extended-latest
• https://ftp.afrinic.net/stats/afrinic/delegated-afrinic-extended-latest
• https://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-extended-latest
• https://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-extended-latest

BGP Archive Data

• http://archive.routeviews.org/bgpdata/

Tools used

• awk, bgpdump, graphviz, feedgnuplot, and other basic bash commands and shell scripts

BGP Hijacking Incidents

Following is the list of possible analysis candidates for well-known BGP hijacking incidents, which can be analyzed in this training session

Italian Hacking Team BGP Hijacking

The Italian group "Hacking Team" was implicated in a state-sponsored BGP hijacking incident. They worked with the Italian Special Operations Group to manipulate the Border Gateway Protocol (BGP) and reroute internet traffic. The release of confidential data unveiled their involvement, and the hacker "Phineas Fisher" admitted to the breach. BGP hijacking poses substantial risks to internet connectivity and the security of user data.

Amazon DNS BGP Hijacking

In 2016, Amazon DNS servers in Route53 experienced a BGP hijacking incident. Attackers manipulated the Border Gateway Protocol (BGP) to redirect traffic intended for Amazon's DNS servers.

This misdirection allowed the attackers to intercept and manipulate DNS queries, potentially redirecting users to malicious websites or intercepting sensitive information. The incident underscored the vulnerabilities in BGP and the critical need for enhanced security measures to protect internet infrastructure.

BGP Man In the Middle Attack

China Telecom has been accused of engaging in extensive BGP hijacking activities, redirecting internet traffic through its infrastructure to spy on data and disrupt global communications. This practice, "Leave No Access Point Unexploited," involves manipulating the Border Gateway Protocol (BGP) to reroute traffic from its intended path. These activities have raised significant concerns about the security and integrity of global internet traffic, highlighting vulnerabilities in the BGP system and the potential for state-sponsored cyber espionage.

Klayswap BGP Hijacking

On January 3, 2022, at 11:31 AM, there was a BGP hijacking incident at KlaySwap, a decentralized finance (DeFi) platform in South Korea that operates on the Klaytn blockchain network. The incident led to BGP hijacking attacks on two service-provider networks, resulting in approximately 2.2 billion KRW worth of virtual asset damage and nationwide service disruptions for around one hour.

Affected services included QR check-in, Kakao Map Service, and Daum portal services. This incident raised concerns about South Korea's vulnerability to BGP hijacking attacks, highlighting that South Korea is no longer a safe zone from BGP hijacking attacks.