Enforcing the First AS in BGP AS_PATHs
AI-Generated Summary: This is an automated summary created using AI. For the full details and context, please read the original post.
Enforcing the First AS in BGP AS_PATHs: A Key to Preventing Route Hijacks
Cloudflare has identified a common tactic used by attackers to hijack routes and intercept traffic. By creating fake AS_PATHs, attackers can misdirect traffic down an unexpected path and conceal their identity. To prevent these hijacks, Cloudflare recommends verifying that a BGP peer autonomous system (AS) always includes their network as the "First AS" in an advertised route.
In a recent incident, Cloudflare analyzed a route hijack involving a prefix belonging to Orange S.A. and found that the hijacker had created a fake AS_PATH that included Cloudflare's main ASN, 13335. However, upon closer inspection, it was determined that the path was forged up until the leftmost common AS, which was AS199524, a provider with a global peering presence.
Cloudflare believes that the hijacker's strategy involved the following steps:
- Originate BGP announcements for "parked" prefixes
- Forge the AS_PATH completely, without including the hijacker's own local ASN
- Advertise these routes to Gcore, AS199524
To prevent these hijacks, Cloudflare recommends implementing basic verification that a BGP peer AS always includes their network as the "First AS" in an advertised route. This can be done by stress-testing major networks and researching their BGP implementations.
Practical Implications for Developers
Developers can take the following steps to prevent route hijacks:
- Verify that a BGP peer AS always includes their network as the "First AS" in an advertised route.
- Implement basic verification checks to detect forged AS_PATHs.
- Regularly stress-test major networks and research their BGP implementations to identify potential vulnerabilities.
- Consider using tools like MRT Explorer to view BGP UPDATEs and detect potential hijacks.
By taking these steps, developers can help prevent route hijacks and ensure the security and integrity of their networks.
Want to read the full article?
Read Full Post on Cloudflare Blog