Hi, On Sat, Jan 07, 2023 at 11:33:09PM +0800, Brandon Zhi wrote:
I've been doing some research on BGP security recently and I've discovered a hijacking method called BGP next-hop hijacking. But I don't know how this will cause harm, as modifying the next-hop only redirects traffic.
I would consider this to be as bad as any sort of "in-flight manipulation of BGP reachability information" - either changing prefixes, or changing next-hop would permit an attacker to redirect "user traffic", and then interfere with *that*.
Are there any actual cases of such hijacking parties?
... OTOH, for this to have a noticeable affect, you'd need to sit on a shared network with the two routers whose BGP session is modified (injecting into a remote session won't get you the traffic, so this would be more some obscure sort of routing stability attack) - so IXPs are the only place where I could imagine this attack being done. Not sure how hard it is today to inject a BGP segment into an existing TCP session without being able to see the actual TCP stream (IXP filters should prevent ARP/MAC spoofing). Using BGP MD5 would also make this attack close to impossible, even if MD5 is not that much of a strong authentication. (This said, I've never actually seen or heard about an actual attack on a BGP session - it can obviously done, but seems to be either so stealthy that nobody notices, or uninteresting enough that nobody does it) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279