top of page
Search

The Internet Is Under Attack: The Border Gateway Protocol Crisis

  • Writer: Aditya Jadoun
    Aditya Jadoun
  • Sep 30, 2024
  • 3 min read

The White House finally admitted it: our country is under attack. But I’m not talking about physical borders. The real threat is to the Border Gateway Protocol (BGP)—one of the rickety pillars holding up the internet, precariously supported by little more than duct tape and hope.


If you think this doesn’t matter, consider this: back in 2008, YouTube went down worldwide because a government official in Pakistan messed up a config trying to censor the internet. In 2018, Amazon’s Route 53 DNS traffic was hijacked, and a bunch of crypto bros lost their life savings. And let’s not forget 2021, when Facebook and Instagram went offline for hours, giving us a fleeting taste of what life could be like without them.


These outages all trace back to the fragility of BGP, an ancient piece of internet infrastructure that was designed decades before anyone considered the potential for cyber-attacks. So, what is BGP, why is it so broken, and what’s being done to fix it?


What is the Border Gateway Protocol?

The internet isn’t a monolith. It’s a tangled web of autonomous systems—independent networks run by ISPs, corporations, or government agencies. BGP is like the post office of the internet, allowing these networks to announce two key things:

  1. That they exist

  2. Which other networks they can reach

Routers use BGP to decide the most efficient path for sending data across the internet. In other words, it’s what makes the internet work.

Think of Verizon and AT&T as two separate autonomous systems. BGP ensures that data can flow efficiently between them, directing traffic through a constantly updating network of routes. Individual IP addresses are grouped into prefixes, and BGP maintains the routing tables that let all these networks talk to each other. Sounds good, right?


Why Is BGP Broken?

The problem is, BGP was designed 25 years ago, when the internet was still in its infancy, and before cybersecurity threats were on anyone’s radar. It operates on little more than trust—as in, "trust me, bro."

Here’s where things get sketchy:

  • BGP doesn't check whether a network announcing a route change actually has the authority to do so.

  • It doesn’t verify whether messages exchanged between networks are authentic.

  • It doesn’t check whether routing announcements violate business agreements between networks.

This blind trust makes BGP incredibly vulnerable to route leaks and hijacking attacks.


Real-World Examples of BGP Hijacking

One infamous example of BGP failure is the 2018 Amazon Route 53 attack. Hackers manipulated BGP to reroute traffic meant for myetherwallet.com to a fake website. People visiting the site entered their credentials, which were promptly stolen. The hackers then logged into the real website and drained victims’ accounts.

The scary part? The users didn’t do anything wrong. They went to the URL they always use, but BGP directed them to the wrong place.


What’s Being Done to Fix It?

It’s 2024, and surely by now, this gaping hole in our digital infrastructure has been fixed, right? Not quite. Governments and tech giants are finally starting to take this seriously, though.


The fix relies on something called Resource Public Key Infrastructure (RPKI), which cryptographically signs BGP route announcements. This ensures that only legitimate routes are advertised and accepted by routers. Essentially, RPKI lets network operators know which routes are trustworthy by creating signed Route Origin Authorizations (ROAs).


And, as usual, the EU is ahead of the game. Over 70% of BGP routes in Europe have published ROAs, compared to a mere 39% in the U.S. It’s a step in the right direction, but we’re far from where we need to be.


Can the Internet Be Fixed?

Despite its flaws, the internet remains the most transformative invention in human history. It’s broken, sure, but it can be fixed by the same human ingenuity that built it. However, let’s not pretend the government or Big Tech are moving fast enough to secure this fragile infrastructure. The more we delay securing BGP, the more we leave ourselves exposed to malicious attacks that could cripple the global economy in an instant.


At the end of the day, this is another reminder that our most “advanced” technologies are often propped up by patchwork systems that are outdated and ill-prepared for modern threats. If anything, it should make us rethink our blind faith in technology as the ultimate solution to all problems. We need to be more critical, more self-sufficient, and more prepared for a world where these systems might fail.


 
 
 

Comments

bottom of page