IPv4 path manipulation

Attack Pattern

IPv4 path manipulation involves altering the Border Gateway Protocol (BGP) path attributes to maliciously influence routing decisions across the internet. By exploiting BGP’s trust-based nature, attackers can redirect traffic through unauthorised paths, create routing loops, or implement denial-of-service conditions.

1. IPv4 Path Manipulation [OR]

    1.1 AS Path Attribute Manipulation [OR]
    
        1.1.1 AS Path Prepending
            1.1.1.1 Adding fake AS segments to make paths appear longer
            1.1.1.2 Strategic prepending to influence route selection
            1.1.1.3 Multi-hop prepending for extended manipulation
            
        1.1.2 AS Path Shortening
            1.1.2.1 Forging shorter AS paths to attract traffic
            1.1.2.2 Removing legitimate AS segments from paths
            1.1.2.3 Creating fake optimal paths through path truncation
            
        1.1.3 AS Path Poisoning
            1.1.3.1 Inserting non-existent AS numbers
            1.1.3.2 Using reserved or private AS numbers in paths
            1.1.3.3 Creating invalid AS path sequences
            
    1.2 BGP Community Attribute Abuse [OR]
    
        1.2.1 Community-Based Traffic Engineering
            1.2.1.1 Manipulating traffic flow using community attributes
            1.2.1.2 Exploiting provider-specific community meanings
            1.2.1.3 Unauthorised use of no-export and other communities
            
        1.2.2 Blackhole Community Manipulation
            1.2.2.1 Illegitimately tagging routes with blackhole communities
            1.2.2.2 Creating denial-of-service through route blackholing
            1.2.2.3 Exploiting provider blackhole infrastructure
            
        1.2.3 QoS Community Exploitation
            1.2.3.1 Manipulating quality of service through communities
            1.2.3.2 Priority manipulation for traffic classes
            1.2.3.3 Bandwidth allocation abuse
            
    1.3 MED (Multi-Exit Discriminator) Manipulation [OR]
    
        1.3.1 MED Attribute Forgery
            1.3.1.1 Setting artificial MED values to influence path selection
            1.3.1.2 Exploiting MED comparison rules between different ASs
            1.3.1.3 Creating preferential exit point selection
            
        1.3.2 MED-Based Traffic Steering
            1.3.2.1 Redirecting traffic to specific interconnection points
            1.3.2.2 Manipulating inbound traffic engineering
            1.3.2.3 Exploiting multi-homed network configurations
            
    1.4 Next-Hop Manipulation [OR]
    
        1.4.1 Next-Hop Attribute Spoofing
            1.4.1.1 Forging next-hop addresses to redirect traffic
            1.4.1.2 Using unreachable next-hops for blackholing
            1.4.1.3 Creating routing loops through next-hop manipulation
            
        1.4.2 Third-Party Next-Hop Abuse
            1.4.2.1 Specifying unauthorised third-party next-hops
            1.4.2.2 Exploiting next-hop-self configurations
            1.4.2.3 Using next-hop to bypass security policies
            
    1.5 Origin Attribute Manipulation [OR]
    
        1.5.1 Origin Type Forgery
            1.5.1.1 Changing origin attribute from IGP to EGP or INCOMPLETE
            1.5.1.2 Exploiting origin type preferences in path selection
            1.5.1.3 Manipulating route authenticity through origin changes
            
        1.5.2 False Origin AS Claims
            1.5.2.1 Claiming origin from unauthorized AS numbers
            1.5.2.2 Using hijacked or revoked AS numbers
            1.5.2.3 Origin spoofing for false attribution
            
    1.6 Weight and Local Preference Abuse [OR]
    
        1.6.1 Local Preference Manipulation
            1.6.1.1 Illegitimately setting high local preference values
            1.6.1.2 Influencing outbound traffic flow through local pref
            1.6.1.3 Creating routing inconsistencies within AS
            
        1.6.2 Weight Attribute Exploitation
            1.6.2.1 Manipulating Cisco-specific weight attribute
            1.6.2.2 Creating preferred paths through weight manipulation
            1.6.2.3 Bypassing normal BGP decision process
            
    1.7 Route Reflection Manipulation [OR]
    
        1.7.1 Rogue Route Reflector
            1.7.1.1 Compromising route reflector infrastructure
            1.7.1.2 Injecting malicious routes through reflectors
            1.7.1.3 Exploiting reflector cluster configurations
            
        1.7.2 Reflection Path Manipulation
            1.7.2.1 Altering paths through reflector hierarchies
            1.7.2.2 Creating routing inconsistencies via reflection
            1.7.2.3 Exploiting reflection for path hiding
            
    1.8 Aggregation and Deaggregation Attacks [OR]
    
        1.8.1 Route Aggregation Abuse
            1.8.1.1 Creating overly broad aggregate announcements
            1.8.1.2 Aggregating unauthorised prefixes
            1.8.1.3 Using aggregation to hide more specific routes
            
        1.8.2 Deaggregation Attacks
            1.8.2.1 Announcing deaggregated routes for hijacking
            1.8.2.2 Creating route fragmentation through deaggregation
            1.8.2.3 Exploiting deaggregation for traffic interception

Why it works

  • Trust-Based Protocol: BGP operates on mutual trust between peers without inherent authentication

  • Attribute Flexibility: BGP’s extensive attribute set provides multiple manipulation vectors

  • Global Scale: Internet routing complexity makes detection difficult

  • Slow Convergence: BGP’s slow convergence allows malicious paths to persist

  • Implementation Variability: Different vendor implementations handle attributes inconsistently

  • Limited Validation: Many networks lack comprehensive path validation mechanisms