There has been yet another incident of a Border Gateway Protocol (BGP) hijack, with the latest victim this time in Taiwan. Earlier this month (8 May), traffic going through a public DNS run by the Taiwan Network Information Center (TWNIC) was rerouted to an entity in Brazil for about three and a half minutes.

It remains to be investigated whether the route hijacking was malicious or inadvertent, but for something as important as a backbone of the Internet, even a three-and-a-half-minute leak was too great a risk, and serious damage could have been done.

Similar incidents can happen again at any time anywhere in the world, and network operators have a responsibility to ensure we have a globally robust and secure routing infrastructure. However, much more must be done by network operators to strengthen routing security.

What happened?

Quad101 is an experimental Public DNS project, branded a privacy-centric DNS resolver run by TWNIC, a ccTLD (country-code Top Level Domain) registry operator. TWNIC runs one of the world’s fastest DNS infrastructure, according to Quad 101’s website.

The specific IP address (101.101.101.101) has been assigned to Quad101 Public DNS systems.

On 8 May 2019, at around 15:08 (UTC) an entity in Brazil (AS268869) started advertising 101.101.101.0/24, which does not belong to them. It was an attempt to hijack the Quad101 prefix.

aut-num: AS268869 owner: FIBRA PLUS TELECOMUNICA??ES LTDA EPP responsible: ANDERSON LUCAS GALLACCI owner-c: FPTLE1 routing-c: FPTLE1 abuse-c: FPTLE1 created: 20190412 changed: 20190412 inetnum: 45.174.220.0/22 inetnum: 2804:5bc8::/32

A route dump from isolario.it project captured the first announcement on 8 May 2019 at 15:08:55 (UTC).

+|101.101.101.0/24|199036 28329 3549 4230 4230 4230 4230 268869|82.94.230.130|?|||3549:602 3549:2162 3549:34076 28329:2111 28329:2900 28329:12100|82.94.230.130 199036 112|1557328135|1

Whereas, RIPE RIS received the first announcement from AS268869 on 8 May 2019 at 15:08:39 (UTC).



Figure 1 — RIPE RIS screenshot showing AS268869’s first announcement of 101.101.101.0/24 on 8 May 2019.



The last announcement recorded by isolario.it from AS268869 was at 15:12:15 (UTC).

+|101.101.101.0/24|199036 198644 5603 3320 2828 4230 268869|82.94.230.130|82.94.230.130 199036 68|1557328335|1

And as per RIPE RIS, the last announcement received was at 15:11:42 (UTC).



Figure 2 — RIPE RIS screenshot showing AS268869’s last announcement of 101.101.101.0/24 on 8 May 2019.



How did this happen?

If you look at the announcements from AS268869 within the same time window, there were two IPv4 prefixes that do not belong to them — 101.101.101.0/24 and 102.102.102.0/24. This could be a classic example of testing something in the network and inadvertently leaking it to the Internet. But it could also be an attempt to hijack a public DNS and using 102.102.102.0/24 as a decoy.

This shouldn’t have happened if AS268869 implemented BCP 194 (RFC 7454 — BGP Operations and Security) and filtered outbound prefixes. But this is not only the mistake of AS268869 because they are connected to AS4230 — Claro Brasil — which propagated these bogus announcements to the global routing table. AS4230 didn’t apply any prefix filters while receiving it from AS268869 and they didn’t apply any checks (through IRR entries) while propagating these hijacked prefixes.

What do we do about it?

Routing security depends on the actions of other networks, and every network should help secure the global routing system as a whole.

That’s where the Mutually Agreed Norms for Routing Security (MANRS) comes in. MANRS is a community initiative of network operators and Internet Exchange Points (IXPs) that creates a baseline of security expectations for routing security. MANRS calls for simple, but concrete actions that will reduce the most common routing threats, including BGP hijacking.

Take the Introduction to MANRS course on the APNIC Academy

The first MANRS action is filtering, which prevents the propagation of incorrect routing information. If most network operators and IXPs implement the MANRS actions — including filtering — BGP hijacking events would not propagate across the Internet, and we could avoid outages, traffic inspection, and DoS attacks.

Other MANRS actions include anti-spoofing, global validation, coordination, MANRS promotion, and monitoring and debugging tools.

Learn more

Original post appeared on the MANRS Blog.

Aftab Siddiqui is a Technical Engagement Manager for the Internet Society.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.