The Internet's most broken protocol
The White House finally admits it: our internet's backbone, the Border Gateway Protocol, is a ticking time bomb.
The White House has finally admitted that our country is under attack and we need to secure our border. No, I'm not talking about the northern border to keep Canadians out; I'm talking about the Border Gateway Protocol, one of the fundamental pillars holding up the internet and global economy with duct tape and hope.
Back in 2008, YouTube went down across the entire world, depriving us of Nigahiga for hours, all because some government official in Pakistan messed up a config value when trying to censor the internet. In 2018, Amazon Route 53 DNS traffic was hijacked and wiped out the life savings of a bunch of Crypt Bros. Then, in 2021, yet another misconfiguration took out Facebook and Instagram for multiple hours. The world began to heal, but unfortunately, they fixed it and came back online. On multiple occasions, China and Russia have intercepted US internet traffic. None of these incidents should have ever happened.
In today's video, you'll learn exactly how the Border Gateway Protocol works, why it's broken, and the plan to fix it. It is September 11th, 2024, and you are watching The Code Report. If you're a highly experienced web developer like me, you might be feeling some imposter syndrome for having no idea what the Border Gateway Protocol is. Don't feel bad, though; it's above our pay grade.
You see, the internet is like a Jenga Tower of protocols, and one of the most sketchy pieces in that tower is something called the Border Gateway Protocol. The internet is made up of a collection of networks that work like their own autonomous systems. An ISP, big corporation, or government agency might all have their own networks, and BGP allows them to announce two things: that the network exists and which networks can be reached by them, allowing routers to automatically decide the most efficient path to take. It's almost like the post office of the internet at the global level.
Individual IP addresses get grouped together into prefixes, and then routing tables between autonomous systems are maintained by the Border Gateway Protocol. For example, all the traffic coming out of Verizon routers is one autonomous system, and all the traffic coming from AT&T is another. These networks are all connected together by routes, and this diagram shows how BGP helps them find the most efficient route to take in order to send packets between these networks.
That's all good, but the problem is that this thing was designed 25 years ago, before stranger danger was a thing, and before guys like Hans Gruber warned us of a global cyber attack. For one, it doesn't check to see whether a remote network announcing a traffic path change has the authority to do so, nor does it verify messages exchanged between networks.
The internet's backbone, BGP, runs on outdated "trust me bro" vibes, making it vulnerable to route hijacking and cyber attacks.
BGP (Border Gateway Protocol) helps networks find the most efficient route to send packets between them. However, BGP was designed 25 years ago, before the concept of "stranger danger" and before warnings of global cyber attacks from characters like Hans Gruber. One major issue is that BGP does not verify whether a remote network announcing a traffic path change has the authority to do so, nor does it authenticate messages exchanged between networks. Additionally, it does not check if routing announcements violate business policies between neighboring networks. Essentially, it operates on a "trust me bro" basis.
Normally, you can trust your network peers, but in the event of a route leak, an attacker might redirect traffic to an illegitimate website. For instance, during the Amazon Route 53 attack, users trying to access myetherwallet.com were redirected to a fake website. When they entered their credentials, the attackers stole them and used them on the real website to steal money. This attack functioned similarly to a phishing attack, but the victim did nothing wrong other than visiting a familiar website.
Fortunately, there is a solution in the form of Resource Public Key Infrastructure (RPKI), which cryptographically signs records to associate a BGP route announcement with the correct originating AS number. This prevents accidental or malicious route hijacking. The resource holder creates a signed Route Origin Authorization (ROA) so that network operators can verify the legitimacy of advertised routes. The EU is leading in this area, with 70% of BGP routes having published ROAs, compared to only 39% in the United States.
To try everything Brilliant has to offer for free for 30 days, visit brilliant.org/fireship or scan the QR code for 30% off their premium annual subscription. This has been the Code Report. Thanks for watching, and I will see you in the next one.