What is IP Address hijacking? Everything you need to know

What is IP Address hijacking

The illegal purchase of IP addresses for malicious reasons, or IP address hijacking, is a major security issue in the modern digital age. Protecting networks and online assets needs an understanding of the complexity of this threat.

Internet traffic meant for a particular IP address range can be redirected by unauthorized actors through the illegal acquisition of IP addresses, a practice known as IP address hijacking. Many weaknesses in the Border Gateway Protocol (BGP), which controls the routing of internet traffic among different computers, have made this hostile conduct possible.

What is IP Address Hijacking?

IP hijacking is a cyberattack that changes the Border Gateway Protocol (BGP) routing tables in order to illegally gain control of groups of IP addresses. It is also referred to as BGP hijacking, route hijacking, or prefix hijacking. This illegal behavior involves sending out the wrong BGP route announcements, which cause internet traffic to go using unwanted paths that are often used for illicit uses.

Because BGP hijacking affects a network’s security and operation, it poses a major risk to both individual internet users and businesses. As a result, there may be network outages, sensitive data interception and change is made possible, or cryptocurrency theft is made easier. In order to maintain network integrity and secure operations, network administrators and NetOps experts must have a thorough understanding of the idea, possible effects, and preventative measures for BGP hijacking.

What is a BGP Route?

A BGP route contains instructions on how to get to a prefix, which is a set of IP addresses. The network address (prefix) and the host address (suffix) are the two elements that make up an IP address. Because it indicates the network addresses of the range of IP addresses from 192.35.48.0 to 192.35.48.255, 192.35.48.0/24 is an example of a prefix.

An AS “originates” these prefixes as routes, indicating that its ASN is the origin or destination for traffic headed to IP addresses in the range, in order to direct the internet on how to reach the IP addresses on its network.

How does BGP work?

ASes connect to other ASes through BGP and exchange routes that they found on their own (as the source) or have picked up from neighboring ASes. An AS’s routers use all of the BGP routes they have learned from neighboring ASes to gradually compile a routing table. Based on which BGP routes match the destination IP addresses in the packets that the AS’s border routers need to forward, these routing tables tell the routers where to send traffic.

Because every AS naturally believes the information provided by its next ASes, BGP is sometimes referred to as a “route by rumor” protocol. Issues with security stem from this innate notion.

Adjacent routers receive notifications from ASes informing them of changes. Additionally, BGP is a “route by exception” protocol, which means that it won’t send any messages (apart from keepalives) if nothing is changing. If the origin removes a BGP route, nearby ASes receive withdrawal notifications. An AS notifies neighboring ASes using announcement messages if it discovers that the AS_PATH of a BGP route has changed. Considering that BGP messages flow in one direction and the traffic they guide flows in the opposite direction can occasionally be useful.

BGP provides a selection criterion that each AS must follow in order to select the best route when it has to deal with many paths indicating the same IP address space. Among other things, that method takes into account the AS path length and a local weighting factor known as LOCAL_PREF.

How can BGP be hijacked?

If an AS does not filter its announcements, they may spread and be added to routing tables in BGP routers throughout the Internet when it publishes a route to IP prefixes that it does not genuinely control. Traffic to those IPs will then be routed to that AS until someone notices and fixes the routes. If there was no local authority to verify and uphold property deeds, it would be the same as taking territory.

The quickest and accurate route to the target IP address is always given priority by BGP. To ensure the success of the BGP hijack, the route announcement needs to either:

1) Announce a narrower range of IP addresses than what other ASes had previously disclosed to provide a more focused route.

2) Provide a quicker path to specific IP address blocks. Furthermore, not anyone can publicly declare BGP routes to the wider Internet. An announcement must be made by the operator of an AS or, in the more uncommon scenario, by a threat actor who has hacked an AS in order for a BGP hijack to take place.

What happens when BGP is hijacked?

Internet traffic may be ‘black holed,’ routed to fake websites as part of an on-path assault, or diverted in the wrong direction as a result of BGP hijacking. Furthermore, spammers can spoof real IP addresses for spamming purposes by using BGP hijacking, or the network of an AS that engages in BGP hijacking. Because requests and responses won’t take the most efficient network path—and might even travel across the entire globe—page load times will increase for users.

In the best-case scenario, traffic would simply travel a longer route than needed, adding to the latency. In the worst situation, an attacker might be stealing credentials by sending users to phony websites or performing an on-path assault.

Attempts to improve BGP security

The networking community created Internet Routing Registries (IRR) long after BGP had been developed and implemented, so that ASes could publish details on how other ASes may expect to see their routes in BGP. Currently, a lot of transit providers reject potentially incorrect BGP routes using IRR-based route filters. However, there can be differences and even conflicts in the quality of the data contained in different IRRs.

New security measures like Peerlock and RPKI ROV have been created and implemented online in recent years, and they help to lessen the harm caused by BGP hijacks brought on by errors and BGP leaks.

Examples of IP Hijacking

The event that involved YouTube, PTCL, and the Pakistani state telecom in February 2008 is arguably the most well-known BGP hijack. In another case, a video that the Pakistani government considered to be anti-Islamic triggered an order to ban YouTube access nationwide.

In order to implement the ban, PTCL made public more targeted BGP routes for YouTube in order to intentionally divert traffic from Pakistan to the video-streaming website. After being taken over, PTCL wanted to blackhole traffic so that Pakistanis could not access YouTube. Things took a turn for the worse when PTCL turned over these routes to its international transit providers, who carried them all over the world and blocked YouTube for a sizable chunk of the internet.

In recent times, cybercriminals have found cryptocurrency services to be a profitable target, and BGP hijacks have played a crucial role in complex cyberattacks against these services. A BGP hijack that used forged BGP announcements and false records in AltDB, a free substitute for the IRR databases, was used to target the cryptocurrency service Celer Bridge in August 2022.

The attacker was able to trick a transit provider into thinking that a small hosting center in the UK was authorized to transit address space owned by Amazon Web Services, which hosted the Celer Bridge infrastructure, by covertly changing the contents of AltDB.

How to detect and mitigate IP hijacks

Networks can now take a number of actions to help enhance the internet’s general “routing hygiene.” The following are some suggestions that network managers ought to think about:

  • To receive instant notifications in the event of a negative occurrence affecting the BGP routes your network depends on, use a BGP monitoring service.
  • In the Resource Public Key Infrastructure (RPKI), create Route Origin Authorizations (ROAs) for your IP space so that other networks can recognize and filter BGP announcements with the wrong origin.
  • To reject BGP announcements deemed to be RPKI-invalid, border routers should implement RPKI Route Origin Validation (ROV). You can avoid having your egress traffic diverted by doing this.
  • Keep your IP space’s route, as-set, and aut-num accurate in the relevant Internet Routing Registry (IRR). IRR-based route filtering for networks without RPKI deployment is made possible by doing this.
  • Put into practice filtering using IRR data. Even though IRR-based filtering is more popular and has been around longer than RPKI, it is still thought to be a better filtering mechanism.
  • Think about providing Route Views, or RIPE RIS, with BGP data. These open BGP repositories let researchers create more effective routing security solutions.
  • Your organization’s operations plans and procedures should address routing security.

Why choose LeaseIPx

When it comes to managing IP addresses, whether you want to buy IPs, sell IPs, or lease IPs, LeaseIPx stands out as a premier choice. Here’s why:

  1. Expertise and Reliability: LeaseIPx is a trusted player in the IP address market with extensive experience in handling IP transactions. Their expertise ensures that you get secure and compliant solutions.
  1. Comprehensive Services: Whether you need to buy IPs for expanding your network, sell IPs that are no longer in use, or lease IPs for short-term projects, LeaseIPx offers a range of tailored services to meet your needs.
  1. Compliance and Security: LeaseIPx adheres to industry standards and regulations, ensuring that all transactions are secure and compliant with current IP address policies.
  1. Efficiency and Flexibility: Their platform simplifies the process of acquiring and managing IP addresses, providing flexibility and efficiency to meet your specific requirements.
  1. Market Insight: With in-depth knowledge of the IP address market, LeaseIPx can provide valuable insights and guidance, helping you make informed decisions about buying, selling, or leasing IP addresses.

Conclusion

IP address hijacking is a major issue for individuals and businesses in today’s linked digital economy. One needs to put strong preventive measures in place and educate themselves on the strategies used by attackers in order to effectively tackle this ongoing danger. Organizations can lower the dangers associated with IP address hijacking and guarantee a more secure online environment by implementing proactive and alert security procedures.