Deutsche Telekom Global Carrier
News Pages

Deutsche Telekom filters out BGP hijackers

Interview with Matthias Maurer, Head of Product Management Internet & Content at Deutsche Telekom ICSS

Q: First of all, it would be good if you could tell us in simple terms what BGP is.
A: Sure. BGP stands for Border Gateway Protocol. It determines the best routes for data to take between Autonomous Systems (AS), which are networks of routers that work together and are independently operated. Autonomous Systems are made up of a collection of IP prefixes and are given a number by the Internet Assigned Numbers Authority (IANA). For example, a primary AS number of Deutsche Telekom is AS3320. AS3320 announces hundreds of its own prefixes, together with the prefixes of our customers, we count around hundreds of thousands, and within the prefixes are individual IP addresses – such as the one you or I have been given from our provider. BGP is a very important part of internet communication, so hijacking or manipulating it is a serious breach that can have wide-reaching consequences.

Q: How does someone hijack the BGP protocol and why is it dangerous?
A: It can happen like this: A criminal configures an edge router to state that it has been assigned certain prefixes – which is in the case of hijacking not true. However, if the prefix is unused, this manipulation may not be noticed. Or, if the route the hijacker uses seems to be shorter, traffic could be rerouted to them. If traffic goes to an organization it is not meant for, there can be a lot of damage done.

These kinds of crimes are employed by organizations such as governments to, for example, obtain information it would otherwise not have access to. Or, to redirect traffic for monetary gains, like what happened in 2014 when an attack took about $83,000 worth of cryptocurrency from a bit-mining server.

Q: But if the protocol doesn’t require verification of routing information, it sounds like it can be a free-for-all for criminals. What is Deutsche Telekom doing to stop this?
A: We are making sure the routes of our customers are correctly registered and ensuring that the prefixes they announce really belong to them. In the end, we build filters of officially known information from Internet Registries to make sure that we only accept prefixes from legitimate partners.
In addition, we have been a driving force behind the Resource Public Key Infrastructure (RPKI) framework. This assigns the IP prefixes of Autonomous Systems with cryptographic resource certificates. These are called Route Origination Authorization (ROA), and they contain lists of IP prefixes with AS owners.

Q: How have your clients reacted to what sounds like a very strict policy?
A: At first there was some opposition, but as the industry began to point out the benefits for everyone the opposition quickly ended. These days our customers understand the part they play in ensuring the BGP protocol is safe and they see documentation as a useful obligation. Industry-wide cooperation will be the only solution for BGP hijacking.

Related Link:
Internet & Content

Go back

Sorry, your browser is not up to date

To enjoy ICSS you will need to install a modern browser.
We recommend to update your browser and to install the latest version.

iOS users, please make sure you're running at least iOS 9.

Mozilla Firefox Google Chrome Internet Explorer
Privacy Settings
This website uses cookies and similar technologies. These are small text files that are stored and read on your computer. By clicking on "Accept all", you accept the processing, the creation of individual user profiles across websites and partners, and the transfer of your data to third parties, some of whom process your data in countries outside the European Union (DSGVO Art. 49). Details can be found in section 3 of the privacy information. The data is used for analysis, retargeting and for playing out personalized content and advertising on Telekom sites and third-party sites. Further information, including information on data processing by third-party providers and the possibility of revocation, can be found in the settings and in our privacy information. Here you can continue only with the necessary tools.
Privacy Settings
In order to provide you with an optimal website experience, we use cookies. These include cookies for the operation and optimization of the site as well as for services such as text or video chat and for advertising based on your online usage behavior. This allows us, for example, to detect if you visit our pages repeatedly from the same device. We would like to give you the choice which cookies you allow:
Required cookies
These cookies are required to enable you to navigate through the websites and use key functions.
They support basic functions, such as order processing in the online shop and access to secured areas of the web page. They also serve the purpose of performing an anonymous analysis of user patterns, which we use to continuously develop and improve our web pages for you.
Find out more
Analytical cookies
These cookies help us to improve our understanding of user behavior.
Analysis cookies allow for the compilation of usage and identification data by the original provider or third party providers into pseudonymous usage profiles. We use analysis cookies e.g. to determine the number of individual visitors to a web page or a service, to collect statistical data on the performance of our products and to analyze the visitors’ usage patterns and visitor interactions on the basis of anonymous and pseudonymous information. This information cannot be traced back to a person.
Find out more
Privacy Settings