Twitter-Based System to Provide Alerts on BGP Hijacks, Outages

Cloud-delivered security provider OpenDNS is preparing to launch a new alert system designed to warn users when Border Gateway Protocol (BGP) incidents are discovered on the Internet.

The new tool, named “BGP Stream,” is powered by data collected by BGPmon, a network and routing monitoring services company acquired by OpenDNS in March.

BGP is an external routing protocol that plays an important role in the proper functioning of the Internet. The protocol is designed to connect networks on the Internet by making them aware of each other’s existence and establishing routing between them.

Currently there are roughly half a million routes between 50,000 unique autonomous systems on the Internet. While routing changes are highly common, some of them can hide potentially malicious activity.

In August 2014, Dell reported that cybercriminals had managed to steal cryptocurrency from mining pools via BGP hijacking. The attackers used bogus BGP announcements to direct traffic from the miners to mining pools they controlled.

BGP has also been involved in Internet blackouts, including the 2012 and 2013 outages suffered by Syria. A more recent case involving BGP came to light last week when files leaked from Italian spyware maker Hacking Team revealed that the company leveraged BGP hijacking to help the Italian National Military Police regain access to clients running remote access tools.

A network of BGP probes, classifiers, and alerts operated by BGPmon enable the company to identify malicious hijacks and outages involving the routing protocol. Through BGP Stream, security researchers, IT professionals, and the general public will be alerted of these incidents. By subscribing to the stream, users will be constantly informed on potentially damaging network changes that affect traffic flows.

BGP Stream will be easy to use because it uses Twitter to send out alerts on BGP incidents. The information will be available to companies and researchers through a client or the web browser, by accessing the BGP Stream Twitter account just like they would any other account. The stream will also be accessible via the Twitter API, which allows developers to follow accounts and programmatically pull updates from them.

“Essentially, we’re sharing this threat information in the public domain. We’re still at the early stages of threat information sharing in the information security industry, but hopefully efforts like this will inspire more vendors and researchers to undertake these kinds of projects,” Dan Hubbard, CTO of OpenDNS, told SecurityWeek.

In addition to BGP alerts, BGP Stream will leverage OpenDNS’s deep visibility into DNS traffic to inform users about distributed denial-of-service (DDoS) attacks.

The tool will become available at the beginning of August after Hubbard and BGPmon founder Andree Toonk will detail BGPStream in a talk at the Black Hat security conference in Las Vegas.

“Due to the nature of the BGP protocol, a BGP route outage or hijack can affect the entire user base of a network. There are some instances where entire countries have ‘fallen off the Internet’ or organizations have had all of their external network traffic rerouted, for potentially nefarious purposes,” Hubbard said. “BGP Stream will be what we believe is the first public alert system for these widespread outages. We’re hoping that both regular users and security researchers will be able to use it to keep abreast of the latest outages and hijacks.”