Deutsche Telekom filters out BGP hijackers
Interview with Matthias Maurer, Head of Product Management Internet & Content at Deutsche Telekom ICSS
BGP hijacking doesn’t make the news much. But, because this protocol does not require routing information to be verified, it is also not easy to stop. Deutsche Telekom is one of the few telcos to implement policies that would secure the internet’s routing infrastructure. We talked to Matthias Maurer to find out just what the company is doing to stop BGP hijacking.
Q: First of all, it would be good if you could tell us in simple terms what BGP is.
A: Sure. BGP stands for Border Gateway Protocol. It determines the best routes for data to take between Autonomous Systems (AS), which are networks of routers that work together and are independently operated. Autonomous Systems are made up of a collection of IP prefixes and are given a number by the Internet Assigned Numbers Authority (IANA). For example, a primary AS number of Deutsche Telekom is AS3320. AS3320 announces hundreds of its own prefixes, together with the prefixes of our customers, we count around hundreds of thousands, and within the prefixes are individual IP addresses – such as the one you or I have been given from our provider. BGP is a very important part of internet communication, so hijacking or manipulating it is a serious breach that can have wide-reaching consequences.
Q: How does someone hijack the BGP protocol and why is it dangerous?
A: It can happen like this: A criminal configures an edge router to state that it has been assigned certain prefixes – which is in the case of hijacking not true. However, if the prefix is unused, this manipulation may not be noticed. Or, if the route the hijacker uses seems to be shorter, traffic could be rerouted to them. If traffic goes to an organization it is not meant for, there can be a lot of damage done. These kinds of crimes are employed by organizations such as governments to, for example, obtain information it would otherwise not have access to. Or, to redirect traffic for monetary gains, like what happened in 2014 when an attack took about $83,000 worth of cryptocurrency from a bit-mining server.
Q: But if the protocol doesn’t require verification of routing information, it sounds like it can be a free-for-all for criminals. What is Deutsche Telekom doing to stop this?
A: We are making sure the routes of our customers are correctly registered and ensuring that the prefixes they announce really belong to them. In the end, we build filters of officially known information from Internet Registries to make sure that we only accept prefixes from legitimate partners.
In addition, we have been a driving force behind the Resource Public Key Infrastructure (RPKI) framework. This assigns the IP prefixes of Autonomous Systems with cryptographic resource certificates. These are called Route Origination Authorization (ROA), and they contain lists of IP prefixes with AS owners.
Q: How have your clients reacted to what sounds like a very strict policy?
A: At first there was some opposition, but as the industry began to point out the benefits for everyone the opposition quickly ended. These days our customers understand the part they play in ensuring the BGP protocol is safe and they see documentation as a useful obligation. Industry-wide cooperation will be the only solution for BGP hijacking.