Rootways of the World Tree (@Internet)¶
In the intricate network of the internet, BGP and MP-BGP serve as the deep-rooted pathways, connecting diverse networks across the digital landscape. These protocols, while essential for data routing, are susceptible to various vulnerabilities. Through direct manipulations like prefix hijacking and indirect exploits via other protocols, these roots can be compromised, leading to potential disruptions.
Branching far and wide
- Transmission Control Protocol (TCP)
- Attack tree (TCP)
- Exploit TCP stack on BGP router
- BGP session manipulation
- Man-in-the-middle BGP sessions
- Protocol-level TCP attacks
- Off-path & side-channel attacks
- Cloud/middlebox-specific attacks
- AI/ML-enhanced TCP attacks
- BGP + TCP stack exploitation
- Session integrity attacks
- Network infrastructure attacks
- Advanced persistence mechanisms
- Multi-vector BGP/TCP compromise
- AI-powered TCP/BGP attacks
- Supply chain compromise
- Disclaimer
- Internet Protocol (IPv4 and IPv6)
- Internet Protocol version 4 (IPv4) notes
- Internet Protocol version 6 (IPv6) notes
- Attack tree (IPv4 and IPv6)
- IP fragmentation (IPv4)
- ICMP abuse (IPv4)
- ARP apoofing/poisoning (IPv4)
- NAT abuse (IPv4)
- SLAAC & RA attacks (IPv6)
- NDP Exploitation (IPv6)
- IPv6 Extension header abuse
- Dual-stack attacks (IPv4 and IPv6)
- IP Spoofing & DDoS Amplification
- BGP hijacking & route leaks
- TTL expiry attacks
- Geolocation spoofing
- Disclaimer
- Border Gateway Protocol (BGP and MP-BGP)
- Border Gateway Protocol (BGP) notes
- Multiprotocol BGP (MP-BGP) notes
- Attack tree (BGP and MP-BGP)
- IPv4 prefix hijacking
- IPv4 path manipulation
- IPv4 infrastructure attacks
- Multiprotocol label switching (MPLS) attacks (MP-BGP)
- Address family exploitation (MP-BGP)
- MP-BGP session attacks
- RPKI infrastructure attacks
- DDoS amplification attacks
- Cryptographic attacks on routing protocols
- BGP and DNS infrastructure attacks
- BGP + CDN/Cloud infrastructure attacks
- AI-powered BGP attacks
- Disclaimer
- Internet Control Message Protocol (ICMP)
- Overview attacks on ICMP
- ICMP Echo sweeping (Ping sweep)
- TTL manipulation for OS fingerprinting
- ICMP-based service discovery
- ICMP tunnelling for data exfiltration & covert channels
- Fragmented ICMP exfiltration techniques
- DNS-over-ICMP (C2) covert channels
- ICMP flood attacks
- ICMP amplification attacks
- Ping of Death (Modern variants)
- NAT/Firewall bypass techniques
- Lateral movement via ICMP
- ICMPv6 router advertisement spoofing
- ICMP side-channel attacks
- IoT/OT device crashes via ICMP
- Cloud metadata service abuse via ICMP
- Adaptive evasion techniques
- Autonomous attack systems
- Forensic evasion techniques
- Security control bypass techniques
- Disclaimer
- Domain Name System (DNS)
- Internet Protocol Security (IPsec)
- Internet Protocol Security (IPsec) protocol notes
- Attack tree (IPsec)
- Cryptographic attacks
- Key management attacks
- IPsec implementation flaw attacks
- Protocol downgrade attacks
- Security Association manipulation attacks
- Identity spoofing attacks
- Memory corruption attacks
- Resource exhaustion attacks
- Configuration bypass attacks
- Disclaimer
- Border Gateway Protocol Security (BGPsec)
Why is hacking the messenger routing protocol attractive for Guild hackers?¶
Or, Why is hacking BGP attractive for nation state hackers?
Because BGP is the rickety Victorian plumbing of the internet. It is still doing the job, but full of leaky joints, no authentication by default, and everyone pretending it is fine until the pipes burst. It can give:
Global control with local action: With one bad advertisement, you can reroute huge swathes of internet traffic. A single ISP fat-fingering (or a state actor deliberately injecting) a prefix hijack can drag banking, comms, or government traffic through your chosen path. Instant man-in-the-middle at internet scale.
Weak authentication: BGP was built in a world where ISPs all “trusted each other” (cue laughter). There is no native, strong cryptographic verification of route announcements. RPKI and BGPsec exist but are patchy, uneven, and often optional. Attackers thrive in that gap.
Plausible deniability: BGP “oopsies” happen all the time. If a nation state wants to reroute EU traffic through Moscow for an hour, they can always blame “misconfiguration.” It muddies attribution.
Data interception and manipulation: Once traffic flows through your infrastructure, you can passively collect intelligence, insert malicious payloads, downgrade encryption, or just quietly observe who talks to whom. It is surveillance catnip.
Disruption without bombs: You can blackhole services (make them unreachable) or split-brain whole regions. Knocking out banking, cloud services, or critical infrastructure via routing games is cleaner than a cyber-kinetic strike and less likely to trigger Article 5.
Geopolitical leverage: States can pressure or co-opt ISPs within their borders to play along. This makes BGP manipulation easier than, say, directly hacking every target. It scales.
In short: it is global, fragile, and central to everything.
Disclaimer¶
An attack tree is structural, not operational. It exists in the comfortable world of pure logic, where things either work or they don’t, gates either open or stay closed, and time is merely a dimension I/you/we draw an arrow along.
It’s comprehensive. It has branches for sub-prefix hijacking, exact-prefix hijacking, squatting attacks, path manipulation, and several dozen other variations. Each node connects logically to its children. The structure is clean.
Until someone takes a tree seriously enough to ask but what would this actually *look* like?