BGP is a beautiful, simple protocol, but it’s a miracle this whole thing we call the internet works in the first place. It is based ultimately on gossipy routers which freely share information in a trust based system. There is no central authority, so internet operators have to go on what their peers tell them. Unfortunately sometimes that information is wrong, or at least not what we intended. In the worst case, a network can pass themselves off as your AS and hijack your traffic. This could have disastrous security impacts, as traffic could be affected by a man-in-the-middle scenario, or even terminated at the hijacker where they might mimic your destination. Think about that: everything matched. Right domain, even DNSSEC, but the IP you were using was stolen. In less malicious scenarios, you can find your traffic gets “leaked” to networks that shouldn’t have a direct route to you. This can cause misdirection, impacting performance, but also has its own security implications with traffic now freely passing through unfriendly waters.
What do you do about this? The first thing, like anything, is to monitor it closely and be alerted as soon as something appears. Ok, then what? If you were hijacked by someone announcing a more specific route, you can match or raise them. Otherwise you might want to swap out the prefix altogether to something not under attack. Then have a conversation with your upstream provider. Were they the one who leaked the route? Could they use their own leverage in the space to sanction the bad actor? And this isn’t just you, this can and does happen to both entire countries, and major brands.
Matt Torrisi is the Sales Engineering Manager at Dyn, the world leader in Internet Performance Solutions that delivers traffic management, message management, and performance assurance. Follow on Twitter: @DrFuzz42 and @Dyn.