BGP Security: Mitigating Route Leaks
Learn best practices to prevent BGP route leaks and hijacks from leading to disaster.
November 1, 2016
BGP route leaks and hijacks -- routing events where illegitimate prefixes are wrongly propagated through the Internet -- are notoriously difficult to troubleshoot and have the potential to make entire swaths of the Internet inaccessible. While much has been said about how network operators can detect and identify these events, there are few resources on how you can respond to leaks and hijacks to reduce the associated performance and security impacts as much as possible. However, there are a number of best practices for mitigating route leaks and hijacks affecting your prefixes.
Because BGP is founded on trust and thus insecure, it can be extremely difficult to quickly resolve a route leak affecting your network, as you’ll need to convince other networks to choose the legitimate route over the incorrect one. While you won’t have complete control in a route leak situation, you do have some options to combat ongoing route leaks. I'll examine these from roughly the fastest to slowest time to resolution.
Contact upstream ISPs
During a route leak, you’ll need to identify the upstream ISPs most likely to have propagated the bad routes. BGP monitoring is an option here.
If you spot a troubling route change with one of your upstream ISPs, the first step is to contact the ISP that accepted the bad routes and make sure they reject the bogus routes and restore service. Depending on the cause of the route leak, which is often the result of an error, it may also be effective to reach out to the originators of the illegitimate prefixes to withdraw the bad routes.
Announce preferred routes
If it’s ineffective or inefficient to reach out to the originators and propagators of a route leak, you can consider countering the illegitimate routes by announcing routes more preferable than the leaked route.
Because routers always prefer the more specific prefix, an effective way to combat route leaks affecting your prefixes is to announce prefixes more specific than those leaked. This is generally only feasible when the leaked prefix is bigger than a /24, as prefixes smaller than a /24 generally aren’t propagated among different networks.
security-1202344_640.png
And if announcing a more specific prefix is not possible, you can try shortening your routes where possible, including removing any AS path prepending from your routes. Because the preference for shorter AS paths is not as strong as the preference for more specific prefixes, this method will generally be less effective.
Change prefixes with DNS
As a last resort, consider changing your prefixes entirely by modifying your DNS records. This is only feasible if traffic can be shifted to other locations during the route leak, like alternate data centers or a CDN network. This method may need a significant amount of time to take effect, depending on the TTL value set on your original DNS records.
Publish ROAs
Finally, as a preventative measure to guard against future leaks or hijacks of your prefixes, make sure to publish Route Origin Authorizations (ROAs) in the various regional internet registries (RIRs). ROAs are records that verify a given origin autonomous system (AS) is authorized to announce its associated prefixes and the maximum prefix length that the AS can announce. Publishing these records ensures that networks using the Resource Certification (RPKI) system are able to validate the origin AS and verify that your routes are legitimate.
Due to the implicit trust built into BGP, there are admittedly few sure-fire solutions for combating ongoing route leaks affecting your prefixes. However, the best practices outlined above will go a long way toward lessening any performance impacts.
While mitigation strategies are certainly important for dealing with unfolding leaks and hijacks, what will solve this issue in the long term is the widespread adoption of best practices for securing BGP, including proper route filtering and deployment of security mechanisms like RPKI, RPSL and BGPSEC. Mitigating and preventing the propagation of illegitimate routes is a difficult and important task, and will ultimately make the internet a more secure place for everyone.
Young Xu is an analyst at ThousandEyes, where she dives into network data, reports on Internet and cloud health and investigates the causes of outages that impact critical services. Previously, she was a product manager in the consumer hardware industry and has experience in data analysis in the financial services industry. Young holds a Bachelor of Arts in economics from Yale University.
About the Author
You May Also Like