By Mark Goodwin, Cox Communications, Inc.
In 2018, 1,300 IP addresses were hijacked from Amazon Web Services (Route 53). This malicious attack resulted in service disruption for about two hours and theft of approximately $150,000 in cryptocurrency.
Further (at no fault of Amazon), this attack exposed both ISP peers and customers to fraudulent routes leaving them susceptible to attacks. The root cause of this incident—and hundreds of others alike—was the lack of security in Border Gateway Protocol (BGP), the protocol used for Interdomain Network Routing.
As BGP announces IP reachability information between domains, there is no way to validate the ownership of the IP information. This vulnerability, which arises from RFC 4272, creates opportunities for inadvertent advertisements and malicious theft of IP resources. Thus it potentially impacts network services and stability. As the Internet of Things (IoT) continues to penetrate customer devices and increases reliability expectations on the ISP networks, ISPs have a responsibility to deploy industry best security practices to protect the IP network for customers.
This document introduces Resource Public Key Infrastructure (RPKI) with BGP Route Origin Validation (ROV) to mitigate the security issues of BGP associated with origin attacks. RPKI is an out-of-band security infrastructure that uses public key cryptography to validate ownership of IP resources for a given Autonomous System (AS). This paper first details the existing vulnerabilities with BGP. Second, it shows how RPKI—as well as deployment of BGP ROV—mitigate BGP hijacks, and route leaks. Third, it outlines a deployment strategy for BGP RPKI. Finally, this paper demonstrates how the attacker power to hijack prefixes decreases after top ISPs adopt RPKI.