Internet Performance Delivered right to your inbox

How To Ensure Service Delivery: The BGP Blues

BGP BluesBGP is a beautiful, simple protocol, but it’s a miracle this whole thing we call the internet works in the first place. It is based ultimately on gossipy routers which freely share information in a trust based system. There is no central authority, so internet operators have to go on what their peers tell them. Unfortunately sometimes that information is wrong, or at least not what we intended. In the worst case, a network can pass themselves off as your AS and hijack your traffic. This could have disastrous security impacts, as traffic could be affected by a man-in-the-middle scenario, or even terminated at the hijacker where they might mimic your destination. Think about that: everything matched. Right domain, even DNSSEC, but the IP you were using was stolen. In less malicious scenarios, you can find your traffic gets “leaked” to networks that shouldn’t have a direct route to you. This can cause misdirection, impacting performance, but also has its own security implications with traffic now freely passing through unfriendly waters.

What do you do about this? The first thing, like anything, is to monitor it closely and be alerted as soon as something appears. Ok, then what? If you were hijacked by someone announcing a more specific route, you can match or raise them. Otherwise you might want to swap out the prefix altogether to something not under attack. Then have a conversation with your upstream provider. Were they the one who leaked the route? Could they use their own leverage in the space to sanction the bad actor? And this isn’t just you, this can and does happen to both entire countries, and major brands.

Share Now

Matt Torrisi
Whois: Matt Torrisi

Matt Torrisi is a Senior Solutions Engineer at Oracle Dyn Global Business Unit, a pioneer in managed DNS and a leader in cloud-based infrastructure that connects users with digital content and experiences across a global internet.

To current Dyn Customers and visitors considering our Dynamic DNS product: Oracle acquired Dyn and its subsidiaries in November 2016. After June 29th, 2020, visitors to will be redirected here where you can still access your current Dyn service and purchase or start a trial of Dynamic DNS. Support for your service will continue to be available at its current site here. Sincerely, Oracle Dyn