Brandon Zhi wrote on 08/01/2023 08:56:
*Case1:*
Assume that Network A and an ISP (Network B) are in the same IXP and Network A sets the next hop of all routes to the IP address of the ISP without authorization or purchase of IP Transit. This will allow the ISP's routes to be used without purchasing the service (output traffic only), which also requires another ISP(Network C) for incoming traffic. The graph is shown below.
Case1.pngman-in-the-middle I have heard of instances where these have been caused by a lack of source address validation by the ISP.
*Case2:*
This attack is more of a man-in-the-middle attack, assuming that Network A and Network B are in an Internet exchange. The attacker, Network C, sets the next hop to itself by capturing the packet UPDATE, which enables it to capture the packet between Network A and Network B.
In the real world, the IXP would terminate the service for the attacking network. I.e. this is a trick you can play only once.
Case2.png
However, as Nick says, this is more likely to happen with multi-hop BGP, as it is difficult for network C to modify packets restricted to BGP when A is directly connected to B. * * *Case3:*
Suppose network A is under DDos attack and network A announces the next hop of the prefixes it sends for network B so that network B will carry this traffic.
But it looks like all of these methods are easily prevented, and I recently came up with a method which can even pass RPKI. I call it AS-SET-based BGP hijacking.
RPKI is not designed to protect against malicious attacks. If you spoof the origin ASN, you bypass RPKI.
*AS-SET-based BGP hijacking*
Assume network A is hosting a banking website. As compared to the other networks, the AS-PATH between the attacker (network B) and network A is shorter.
Attacker Network B can add the victim's (Network A) ASN to its own AS-SET so that filters on other networks will add Network B's prefixes. Network B can then announce Network A's prefix to the other networks.
again, you get to play this trick once. When you're found out, your transit connection will be terminated. Nick