Dr. Antonio Nucci

By Supranamaya Ranjan

Prefix hijacking is the Internet equivalent of identity theft. An attacker steals your IP address and originates or collects traffic pretending to be you.

An amusing, albeit catastrophic, incident of this sort happened in December 2004, when TTNet, an ISP in Turkey, accidentally announced 100,000 prefixes (the Internet currently consists of roughly 250,000 prefixes) as belonging to itself. Some ISPs in the area took the announcement at face value and believed that sites such as BBC, Google, etc., were routed via Turkey. The result was that for almost a day, the unsuspecting ISPs were not able to reach most of the Internet – arguably due to no fault of their own – while TTNet got inundated with unexpected traffic. (Another example, indeed, of how the inter-connected nature of Internet routing is so susceptible to tenets of the chaos theory – that a butterfly flapping its wings in the Tropics may well trigger a series of events that culminate in a snow avalanche in the Arctics).

Prefix hijacking attacks in the Internet is increasing both in frequency and complexity. In combination with current day attacks, prefix hijacking can prove lethal to many networks and businesses. As I will discuss in this blog, these attacks are being launched with relative ease today.

To understand prefix hijacking, one must understand how traffic destined to an IP address is routed in the Internet via the Border Gateway Protocol (BGP), the primary inter-domain routing protocol of the Internet.

Blocks of IP addresses or prefixes are allocated by authorities such as IANA to Internet Routing Registries (IRRs) such as ARIN in North America, RIPE in Europe, APNIC in Asia Pacific, LACNIC in Latin America and AFRINIC in Africa. When it obtains a prefix, an ISP may choose to announce the prefix itself, and in doing so, own responsibility for exchanging routes with the neighboring BGP routers so it can gain connectivity to the rest of the Internet. In such cases, the ISP also obtains an Autonomous System (AS) number, and announces its prefixes as itself. However, inter-domain routing is a fairly intensive task, and ISPs usually abdicate responsibility for routing to their upstream providers, typically carrier networks. Thus, the rest of the Internet sees these prefixes as belonging to the carrier AS.

Now, this is where it becomes more complicated but much more interesting. In return, carriers typically rely on the customer ISP to ensure that the prefixes it is asking the carrier to announce on its behalf, are really the ones it owns. In other words, carriers turn a blind eye to whatever prefixes a customer ISP is handing over for announcement. This provides fertile grounds for breeding prefix hijacking. All a hijacker has to do is break into a BGP router of a customer ISP and inject malicious prefixes it wants announced to the Internet. Gaining access to a BGP router can be relatively easy. In several cases, ISPs have been known to leave the default management console password unchanged on BGP routers! Alternatively, an attacker doesn’t even need to break into a router. He could simply register as an ISP, purchase upstream access from a carrier and voilà, inject prefixes at will.

And what could be the motives behind a prefix hijacking attack? Incidents such as TTNet portend a scary future where an attacker may inject prefix announcements duplicating those of popular web sites such as Google, Amazon, Ebay,Yahoo or financial institutions, to redirect and hijack traffic destined to these sites. The simplest motive could be to hold these companies hostage, asking them to pay substantial ransoms or else their customers will not be able to reach them. In addition, hijacked sensitive information could be compromised and abused. In a distributed attack where false prefixes are injected from many different points in the Internet, the attacker may be able to convince many more routers and ISPs that its announcements are the real ones. And since loss of traffic means loss of revenue and potential customer churn, this could be the next generation of Internet blackmail and terrorism.

Fortunately, solutions such as NarusInsight Secure Suite (NSS) provide real-time detection and mitigation of prefix and route hijacking. NSS enables carriers and service providers to detect such anomalies as soon as they occur. The enterprises that actually own the hijacked prefixes are alerted so they could deal with the threat before damage is done.