Network shaping: How does it enable BGP attacks to divert data?

Threat actors in China reportedly use a technique the NSA calls network shaping, which involves rerouting internet backbone traffic by hijacking Border Gateway Protocol routes to divert -- and copy -- U.S. internet traffic. What is network shaping and how can it be prevented?

Network shaping, also known as traffic shaping, is a technique that attackers can use to hijack, divert and copy valuable information sent to and from targeted networks. Attackers manipulate the routes shared between routers using the Border Gateway Protocol (BGP) to divert sensitive data to systems under their control in order to copy the data. By rerouting the packets to their intended destinations after they have been examined, the attackers are able to operate undetected.

One reason such attacks are hard to detect is that correctly configuring the Border Gateway Protocol (BGP) can be difficult and misconfigurations -- whether caused by unintentional human error or intentional attacks -- are common.

While all internet-connected devices are capable of basic routing -- directing local network packets to the local network and remote network packets to the office router -- global BGP routing is negotiated between backbone routers. Backbone routers connect autonomous systems (ASes) -- networks, or groups of networks, for which all routing is administered by a single entity or domain. ASes are commonly assigned to national ISPs, large enterprises and universities, among other entities.

BGP hijacking occurs when a backbone router for one AS incorrectly announces over the BGP that it has a direct route to an IP block that is actually owned by a different network AS. As a result, some backbone routers may begin routing traffic intended for the first AS to the second AS before resending it to its intended destination. The BGP routing protocol itself does not have any mechanism to verify the accuracy of routing information.

The state-run company China Telecom took this opportunity to hijack BGP routes and get other networks to repeat its malicious routing announcement. China Telecom's distributed points of presence -- eight located in the U.S. and two in Canada -- were set up in North American telecommunications systems to redirect internet traffic to China Telecom. Sensitive data flows across China's collection points without raising any flags to warn network administrators to suspect malicious data transfers.

Fixing the problem by filtering for IP prefixes related to the malicious actors doesn't always work worldwide, as BGP hijacking is not easily detected. When administrators notice that the route paths are not performing well, the cause could be a malicious attack or it could just be caused by traffic surges.

One approach to prevent BGP hijacking is to use a Resource Public Key Infrastructure (RPKI) with the BGPsec protocol. RPKI can be used to validate the authorization of a source AS to announce an IP prefix. The BGPsec protocol validates the entire path from the source AS to the destination.

The benefits of using BGPsec can be realized when many ASes are deployed. The combination of RPKI and prefix filtering on the client side should help to reduce attacks. The server provider should have adequate filters to monitor the owner's prefixes.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)