United States authorities are starting to look at the fundamentals of how the internet is built, following a spate of attacks by threat actors that have caused large-scale disruption and monetary losses.
The latest development is the Federal Communications Commission (FCC) ,which has voted to advance a proposal to secure the crucial Border Gateway Protocol (BGP), used by network operators. The FCC wants to stipulate BGP security plans for network operators, along with reporting on how they are mitigating risk by threat actors misdirecting traffic to steal information and cause disruption.
BGP is not usually directly visible to internet users, but it's the glue holding the world's largest general purpose network together. To understand how that works, it's important to note that what we call the Internet is a collection of networks, operated by different commercial and government entities. The BGP protocol is used by the operators to decide how traffic is routed between their networks, and this is why it's so important.
Unfortunately for internet users, BGP by default assumes networks tell the truth about routing traffic and lacks validation, making it prone to accidental misconfigurations that can take many hours to resolve.
Crucially, the internet working protocol doesn't come with explicit security, which threat actors have been able to abuse causing large scale outages.
In the words of FCC chairwoman Jessica Rosenworcel, this is why it matters:
"That means we all rely on BGP. Every one of us, every day. That is true if you are running a small business and using connections to engage with customers and suppliers, banking online, having a telemedicine session with a healthcare provider, helping the kids with their digital age schoolwork, staying in touch with family, or keeping up to date on the news," Rosenworcel said.
"BGP is in the background, helping connect our critical infrastructure, support emergency services, keep the financial sector running, shore up manufacturing, and more," she added.
"You might be surprised to learn that something so critical in the modern economy has pretty humble origins. This history is why BGP is sometimes called the “three napkin protocol.” As the story goes, back in 1989, the internet, then a novelty for computer scientists like Vint Cerf, was expanding—fast."
"But the internet’s basic protocols at the time could not handle this growth. So on their lunch break from an Internet Engineering Task Force meeting in Austin, Texas, a pair of engineers sketched out the ideas for BGP on three ketchup-stained paper napkins. What was meant to be a short-term solution developed on the sidelines of an internet engineering conference is still with us today," Rosenworcel said.
The FCC has for the past few years studied BGP vulnerabilities and what can be done to shore up the security of the internet working protocol, together with the US Cybersecurity and Infrastructure Agency (CISA). The concerns arose from several high-profile BGP hijacks that resulted in traffic redirection.
The classic example is Pakistan Telecom seeking to censor YouTube within the South Asian nation's border in 2008. It did it by telling the internet to send traffic destined for YouTube to its own network, by BGP route announcements.
That move took out YouTube for almost everyone on the internet for hours, overwhelmed Pakistan Telecom's network, and secured the company a permanent spot in the Internet Hall of Fame.
More recently, in 2018, researchers at the US Naval War College and the University of Tel Aviv documented how China Telecom was capturing data traffic with BGP hijacking, using network points of presence in Europe and Asia.
Network operators have sought to address the problem with Route Origin Validation and Resource Public Key Infrastructure (ROV/RPKI), and by joining the Mutually Agreed Norms on Routing Security (MANRS) initiative. The FCC had also sought to regulate BGP, which was met by resistance from the internet industry which prefers a voluntary coordinated cooperative effort instead.
7 Comments
Good move, the Chinese have been hacking BGP for years
https://digitalcommons.usf.edu/cgi/viewcontent.cgi?article=1050&context…
Whereas the United States NSA has been doing what if not the same but at 100x scale? Two names: Edward Snowden and William Binnie. The article gives it away really, the Americans do not want other nations like Pakistan and China to be able to block US government controlled social media platforms and influence.
Spreading wild conspiracy theories isn't helpful and that is not how internet routing works. If the NSA was doing BGP hijacking at 100 times the scale, it would be extremely noticeable by everyone. Likewise, the US government doesn't control social media platforms.
Sorting out BGP in this respect would be a good move for all internet users. The first time I set up a dual ISP redundant internet solution, I got it wrong initially and basically advertised swathes of NZ routes from one ISP to the other via the customer's BGP router, so I'm well aware how easy and damaging it can be, accidentally, or with malicious intent.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.