Fastly Experiences BGP Hijack Incident
/ 4 min read
Quick take - Fastly recently experienced a BGP hijack incident that, unlike a similar event in 2008, went largely unnoticed due to the effectiveness of Resource Public Key Infrastructure (RPKI) in mitigating disruptions to its traffic delivery.
Fast Facts
- Fastly recently experienced a BGP hijack incident, reminiscent of a significant 2008 routing error that caused a major outage for a video-sharing platform.
- The recent incident went largely unnoticed, indicating a shift in the Internet community’s response to such events.
- A key difference between the 2008 incident and Fastly’s case is the implementation of Resource Public Key Infrastructure (RPKI), which helps validate BGP messages and reject invalid ones.
- Fastly publishes Route Origin Authorizations (ROAs) for its IP addresses, allowing major carriers to disregard problematic BGP messages, resulting in minimal impact from the hijack.
- RPKI adoption has increased among ISPs and cloud providers since 2020, with the U.S. Government endorsing its use to enhance Internet safety and reliability.
Fastly Experiences BGP Hijack Incident
Fastly, a prominent content delivery network, recently experienced a Border Gateway Protocol (BGP) hijack incident that occurred three weeks ago. This incident bears similarity to a notable BGP routing error from 2008, which resulted in a multi-hour outage for a major video-sharing platform and garnered significant media attention. In contrast, the recent Fastly incident went largely unnoticed, suggesting a shift in the response to such events within the Internet community.
Understanding BGP and Its Vulnerabilities
The Internet operates as a vast network of interconnected routers managed by approximately 85,000 organizations. These routers utilize BGP to exchange messages and determine optimal paths for data packets directed toward specific IP addresses. The Longest Prefix Match (LPM) algorithm plays a crucial role in enabling routers to select the most detailed routing information available. While the ability for anyone to connect to the Internet and transmit data has fueled its growth, it also introduces vulnerabilities, particularly the risk of unauthorized route origination.
The 2008 incident involved a telecommunications operator in a large nation that attempted to censor a video-sharing platform through misconfigured BGP messages, resulting in a global disruption of the platform’s services. The misconfigured messages propagated beyond the intended network, causing routers worldwide to incorrectly route traffic. In the recent Fastly incident, a state telecommunications operator similarly generated BGP messages that hijacked Fastly’s IP address space.
The Role of RPKI in Mitigating Risks
A key distinction between the 2008 incident and the recent event is the implementation of Resource Public Key Infrastructure (RPKI). RPKI is a cryptographically verifiable mechanism that enables networks to publish their routing intentions and validate BGP messages. The adoption of RPKI allows networks to reject invalid BGP messages, thereby reducing the potential for disruption. Fastly actively publishes Route Origin Authorizations (ROAs) for its IP addresses, which empower major carriers and Internet Exchanges to disregard problematic BGP messages. The impact of the recent hijack on Fastly’s traffic delivery was minimal, underscoring the effectiveness of RPKI in mitigating such incidents.
RPKI technology has evolved over the past two decades, maturing from initial concepts into a robust system. The five Regional Internet Registries (RIRs) now offer RPKI certification services as part of their standard offerings. There has been a notable increase in RPKI adoption among major Internet Service Providers (ISPs), Internet Exchanges, and cloud providers since 2020.
Future of Internet Routing and RPKI
The Internet’s routing system relies heavily on voluntary collaboration among numerous organizations, which makes implementing systemic changes a complex challenge. Engineers and scientists continue to work diligently on enhancing the reliability and performance of RPKI. Recognizing the societal benefits of RPKI, the U.S. Government has endorsed its use to address BGP vulnerabilities. RPKI plays a vital role in helping networks maintain proper routing practices and ultimately enhances overall Internet safety and reliability.
Original Source: Read the Full Article Here
