BGP security is going global.
International agencies including the U.S. Department of Homeland Security, the National Science Foundation, the European Research Council and others are funding the Automatic and Real-Time dEtection and Mitigation System (ARTEMIS), in an effort to stop hackers from rerouting internet traffic through malicious networks.
Border Gateway Protocol hijacking occurs when attackers redirect web traffic away from its intended destination and instead send those connections somewhere else. Perhaps the best known example of BGP hijacking occurred in November when millions of IP addresses aimed at Google were instead sent to a state-controlled telecom in China, apparently by accident. The issue has become more urgent since nation-state hackers and criminal groups started to utilize this technique for their own gain, Rob Joyce, a senior adviser at the U.S. National Security agency, said in December.
ARTEMIS is seeking to resolve this problem with the release of an open-source software tool that aims to detect and stop BGP attacks within one minute. The group also received funding from a grant from the RIPE Network Coordination Centre, which works as the internet registry for Europe, West Asia and former Soviet states.
“ARTEMIS is a defense approach against BGP prefix hijacking attacks,” the group’s GitHub page states. “It is (a) based on accurate and fast detection … by leveraging the pervasiveness of publicly available BGP monitoring services and it (b) enables flexible and fast mitigation of hijacking events. Compared to existing approaches/tools, ARTEMIS combines characteristics desirable to networks operators such as comprehensiveness, accuracy, speed, privacy and flexibility.”
Researchers from the U.S. Naval War College and Tel Aviv University, in a paper published in October, determined that large amounts of traffic from the U.S. and Canada were being directed through Chinese connection points.
China Telecom, the same state-owned company that accessed Google traffic, has a large North American presence, meaning American and Canadian web activity could be vulnerable to snooping, the researchers said. In one case that lasted roughly six months in 2016 traffic meant for Canadian and Korean government websites was routed through China, the researchers found.
“This is a perfect scenario for long term espionage, where the victim’s local protections won’t raise alarms about the long term traffic detours,” they wrote.