BGP Route Hijacks Exploit Forged AS_PATHs, Undermining Internet Routing Trust
Cloudflare details how attackers are exploiting Border Gateway Protocol (BGP) by forging Autonomous System (AS) paths to misdirect internet traffic and conceal their origins.
Recent Border Gateway Protocol (BGP) route hijack attempts have highlighted a critical vulnerability where attackers exploit unused Autonomous System Numbers (ASNs) and forge AS_PATH attributes to misdirect internet traffic. These attacks, detailed by Cloudflare based on reports from Spamhaus, aim to reroute traffic through unexpected paths, potentially intercepting data or disrupting services while obscuring the attacker's true location.
The core of the exploitation lies in the manipulation of the AS_PATH, a record of the networks a route traverses. Attackers create fabricated paths that include implausible network relationships, such as a network appearing to buy transit from its own customer or from unrelated entities. For instance, a hijack targeting Orange S.A. prefixes showed an AS_PATH involving an unused Orange France ASN and Mexican ISPs, a sequence that defies normal network peering and transit relationships. This suggests the path was artificially constructed to deceive routing protocols.
In another observed incident, a hijack affecting Cloudflare prefixes included Cloudflare's own ASN (AS13335) within the forged AS_PATH, alongside an unused ASN owned by Charter. This specific manipulation indicates an attempt to create a seemingly legitimate, albeit false, path that could mislead network operators and automated systems. The ultimate destination for traffic in these hijacks was traced to a network behind Gcore (AS199524), suggesting this provider was a key point where the forged routes were accepted and propagated.
The underlying issue enabling these attacks is the failure of some BGP peers to rigorously verify the "First AS" in an advertised route. The First AS should ideally be the customer's own ASN, indicating the origin of the route. When this check is bypassed, attackers can inject their forged AS_PATHs, which are then accepted by upstream providers and peers, leading to widespread propagation of the hijacked routes.
While emerging standards like Autonomous System Provider Authorization (ASPA) aim to bolster BGP security, attackers may circumvent them by ensuring the origin AS is RPKI-ROV valid or by including a legitimate ASPA upstream AS in the forged path. Therefore, a more immediate and effective defense against these specific types of hijacks is the strict enforcement of First AS checking within BGP implementations.
BGP, built on a foundation of trust, is susceptible to manipulation. The AS_PATH attribute, while crucial for routing decisions and loop prevention, can be easily altered. Attackers can shorten paths to attract traffic or lengthen them (prepending) to influence routing, but forging the entire path represents a more sophisticated attack vector that directly undermines the integrity of internet routing.
Cloudflare's analysis stresses the need for network operators to implement and enforce First AS checking policies. This fundamental verification step can prevent the acceptance and propagation of routes with implausible or entirely fabricated AS_PATHs, thereby mitigating the impact of these sophisticated route hijack campaigns and restoring a layer of trust to the global routing system.