Hijacking Border Gateway Protocol

Welcome aboard

Our information travels as much as we do. In fact, our information may travel farther than we do. While we have become familiar and proficient with airports, security, and customs, our information often travels in an environment that looks strangely out of date. Routers and switches connect to transmission pathways that may involve hard wires for part of the journey, satellites for the next leg, and fiber optic for the final arrival. Like the services humans use to determine the path we take to get to some destination, our information has a similar set of services. How those services are managed and used, however, is much less well known. While there are professionals that can go back and do detective work to find out “what happened”, there is much to be done to better protect the data sent on its way. We need to improve the security of our data, the accountability of who transports our data, and the awareness of what happens when our data goes somewhere it wasn’t supposed to. We need to educate ourselves on how to be more responsible with our information.

Please stow your carry-on luggage

In most cases, we think we only send information to a small list of people specified in the “To” line of our email program. We intend to send information to a business associate across town, or we may send information across the country. In rare cases, unless we work for a multi-national firm, our data travels outside the US. In all these instances, however, there are protocols that information must follow. Information is not meant to be read, gleaned, or used by anyone other than who we specify. Our information should be treated much like the carry-on luggage taken on trips: we prefer to control who handles it. The routers that direct the pathways our information must travel rely on rules and attributes. These properly identify the best and most efficient route to reach the destination. If we were to board a flight to Paris from Oklahoma City, we would never expect the flight to go through China to get to Europe. Our data, however often finds pathways that do just that. We’ll take a look at how that is possible and why it should be a serious concern.

Take a moment to familiarize yourself

Our Internet traffic includes much more than just Amazon shopping in a Chrome browser. Last year, we sent 269 billion emails a day. The number of emails sent this year (2018) is expected to be 281 billion. The expected rate of growth is projected to be 4.4% annually for the foreseeable future1. All of this traffic relies heavily on Internet Service Providers (ISP) to handle the routine work of moving our data from the departure terminal (office) to the arrival terminal (the recipient or recipients in the “To” line). Your ISP is like an airline, and like many airlines, they need to cooperate with other ISPs to enable a complete route from departure to arrival. All ISPs communicate with each other to best identify the reliable pathways available for our information to travel. The most commonly used protocol the ISPs use is an internetworked standard called the Border Gateway Protocol (BGP). The BGP functions similarly to a travel agent, in that it relies on published information about available pathways in order to make connections possible. If the travel agent gets an updated list of available routes, then plans change, and new pathways are published.

Source: The Radicati Group, “Email Statistics Report, 2017-2021”, January, 2017, http://www.radicati.com/wp/wp-content/uploads/2017/01/Email-Statistics-Report-2017-2021-Executive-Summary.pdf.

Your portable electronic devices should be…

In some cases, those pathways are changed in ways that make no sense. Usually when that occurs, one of two things has happened: a mistake was made, or nefarious actors are at work. In 2010, a significant event occurred that today, almost a decade later, is still hard to sort out. In early April of that year, China Telecom “advertised” erroneous BGP routes to the systems used by ISP companies. This is something the general public normally doesn’t pay attention to. The US Government, however, was paying attention. For 18 minutes, almost 15% of the global Internet traffic was routed through China on its way to wherever the traffic was headed. That included military, government, commercial, and medical data. The information could have included data handled on in-flight services. This was the data equivalent of hijacking a flight and forcing it to change course. Information from the US Senate, our military, NASA, and even the Secretary of Defense was rerouted through China. Investigation results revealed US companies like IBM, Microsoft, and Dell were affected as well2. Why mention this nearly a decade later? It is still going on, and now BGP hijacking has become more sophisticated.

Source: Dan Goodin, “Chinese ISP Hijacked US Military, gov Web Traffic”, The Register, November 17, 2010, https://www.theregister.co.uk/2010/11/17/bgp_hijacking_report/.

The Captain has turned on the fasten seatbelt sign

Just a few weeks ago (October 30, 2018), news reports of China Telecom again surfaced. The state-owned company maintains 8 points of presence in the US and 2 in Canada3. These physical locations function much like an airport does for human traffic. From a point of presence, information gets to the Internet. By purposefully publishing changed routes, the BGP automatically identifies these and sends information through the points of presence to China. The information continues through the China Telecom system and on to the final destination. The growing concern for IT professionals, and what should concern all of us, is what is going on when the information is rerouted, or hijacked, through China. There is a very real risk of someone going through your information much like someone might try to go through your carry-on luggage on a human flight. IT professionals refer to this as a “man-in-the-middle attack”. Companies that do regular business in China, or with Chinese partners, often tell stories of attempts to copy, extract, or outright steal intellectual property. Patent infringement and engineering data has very few protections when Chinese companies are involved. This problem has become so pervasive, our President has made it a focus of trade negotiations in the political realm.

Source: John E. Dunn, “China Hijacking Internet Traffic Using BGP, Claim Researchers”, Naked Security, October 30, 2018, https://nakedsecurity.sophos.com/2018/10/30/china-hijacking-internet-traffic-using-bgp-claim-researchers/.

Please return to your seats

Border Gateway Protocol came about as a response to the growing complexity of the Internet. Like many aspects of the early Internet, the focus was placed on functionality rather than security. As systems became more functional, human nature revealed the need to incorporate security into our processes. While BGP is the default standard in use by ISPs around the world, there are new calls for a replacement technology. There are possibilities, but they are much like operating your own aircraft instead of using the major airlines. In our analogy, the technical details of operating your own aircraft are detailed, extensive, and costly. The reason ISPs have risen to dominance is because they can create economies of scale and reduce the cost to the customer. The reality is, unless you have a very unique need to build your own system connecting a Wide Area Network through specialized and costly infrastructure, you will continue to use the ISP model to communicate over the Internet. There is good news, though. You can improve your routines and your data can become a more savvy traveler.

You may now move around the cabin

By now, your business should be using a standard anti-virus program to provide a basic layer of security for inbound traffic. Think of anti-virus protection as the airport security your information must go through before boarding the flight through your ISP. Emails with attachments, Internet sites, and a host of other options can be easily scanned with continuously updated protection programs like Norton, McAfee, Malwarebytes, or others. There are free levels, but the real protection comes with a purchased subscription. If you are not sure which program is the best fit for your business, reach out to an IT services company for help answering basic questions.

Much like checked baggage, our information needs to be secured. A lock on our data is the easiest solution. Encryption is the most reliable way to add that lock, and there are a wonderful array of options at different costs. Some of these encryption services are added by the programs we use, like Outlook or Protonmail. In these cases, when properly configured, it doesn’t matter how many extra miles our information travels through the Chinese telecommunications world, it will not be read. The proper configuration includes how secure certificates are managed, and what channels your connections will require. The Transport Layer Security (TLS) protocol is increasingly becoming the cryptographic standard for end-to-end security over networks (via the ISPs).

Many browsers will now only display content over secure hypertext transfer protocol addresses. This is easy to identify, because the uniform resource locator (URL) starts with the letters “https”, as in our website: https://rattanconsulting.com. This indicates that the website has a valid secure server certificate, and is properly recognized as having met the requirements to provide encrypted communications to a securely identified server. A small icon of a lock usually accompanies the URL in the browser address bar.

Please place your seats in the full upright position

Much like the accountability we require of our public transportation systems, we need to require accountability of our information systems. In some cases, the anti-virus programs can offer additional accountability services. These are somewhat limited, though, and require the user to spend time to understand and glean through the reported data. A much better solution is to use the abilities of a managed services provider (MSP). The benefits of using an MSP are more than just cost; these professionals can provide early warning when performance begins to suffer. Strange network behavior, like hijacking BGP routes, is quickly identified by MSPs. Contingency plans are maintained, and with the consent of the customer, are quickly and efficiently activated. Should additional response become necessary, your MSP stands ready to help you transition through each stage until your network and services have been restored.

We have begun our final approach

We need to continually update our understanding of the world around us. That includes educating ourselves about responsible information handling. While some cases, like medical data, are governed by the Health Insurance Portability Accountability Act regulations, many cases are not governed. Corporate data may or may not be restricted by internal policies. Small business data is most often unrestricted by any rules. If any of our data will be stored on servers in the European Union, the General Data Protection Regulation (GDPR) applies. For law-abiding citizens, this could require some additional steps to ensure the data is properly being protected. Liability falls on both the data storage provider and the customer4.

Source: Joseph J. Lazarotti, “Does the GDPR Apply to Your US-Based Company?”, Jackson Lewis P.C., January 8, 2018, https://www.workplaceprivacyreport.com/2018/01/articles/international-2/does-the-gdpr-apply-to-your-us-based-company/.

Ladies and gentlemen, we have arrived

We travel a great deal for business, but our information travels more. In some cases, our information travels farther than we ever would. We have discussed some of the ways in which our Internet traffic can be hijacked and taken through networks that may be hostile to the security of our data. We have identified many steps and tools that the individual can take to improve the way information is communicated. Finally, we covered some professional services that can be contracted to add that world-class touch to fully protect and enable your business to fly as high as the friendly skies. We need accountability, whether that is regulatory driven, or supplemented by a managed services provider. By combining the right tools, processes, technology, and prudent decision making, we can better protect our information as it travels the world. That’s good for business.

Recently from Rattan - Subscribe to get insight direct to your inbox.

 Enterprise-Level CyberSecurity for All Businesses

Let our professional team of system engineers and network administrators ensure your company’s cybersecurity through our managed services offering.  Start the conversation by completing the form below or give us a call at 405.810.8005.

Recent Posts

About The Author

Christoper Watson is an Information Technology professional with success in both public and private sector businesses. Technical and business experience is complimented with operational and strategic planning, international contracting work, leadership development and team building competency in challenging physical and political environments. Experience leverages strengths with technology services and providing timely and relevant information to senior executive leadership. Christopher is based out of the Oklahoma City office.

Recently from Rattan - Subscribe to get insight direct to your inbox.

How can we help?

Contact us to discuss your needs and perhaps schedule a meeting.