Network Layer Protocol (IPv4 or IPv6)

BGP runs over IP (Internet Protocol). It can operate over both IPv4 (traditional BGP) and IPv6 (MP-BGP for multiprotocol support).

Attack tree: Compromise Internet Protocol (IP)

1. Initial Access [OR]

    1.1 Phishing & Social Engineering [OR]
    
        1.1.1 Spear Phishing (PDF/Excel malware)
        
        1.1.2 Business Email Compromise (BEC) with deepfake audio/video
        
        1.1.3 LinkedIn/Twitter impersonation for credential theft
        
    1.2 Exploiting Cloud Misconfigurations [OR]
    
        1.2.1 Exposed S3 buckets (AWS) or Azure Blob Storage
        
        1.2.2 Misconfigured GitHub/GitLab repos (API keys, credentials)
        
    1.3 Supply Chain Attacks [OR]
    
        1.3.1 Dependency confusion (malicious npm/PyPi packages) (2021)
        
        1.3.2 Compromised SaaS vendors (SolarWinds-style attacks)

2. Lateral Movement & Privilege Escalation [AND]

    2.1 Exploiting Zero-Day Vulnerabilities [OR]
    
        2.1.1 RCE in enterprise VPNs (Pulse Secure, Citrix CVE-2023-3519)
        
        2.1.2 Windows/Linux privilege escalation (Dirty Pipe, Log4Shell)
        
    2.2 Cloud Identity Attacks [OR]
    
        2.2.1 OAuth token hijacking (Microsoft/Azure AD)
        
        2.2.2 Shadow API abuse (undocumented cloud APIs)

3. Data Exfiltration [AND]

    3.1 Encrypted Exfiltration [OR]
    
        3.1.1 DNS tunneling (DoH/DoT for stealth)
        
        3.1.2 Legitimate cloud services (Dropbox, Google Drive, Slack)
        
    3.2 Insider Threats [OR]
    
        3.2.1 Rogue employees using USB exfiltration (Rubber Ducky attacks)
        
        3.2.2 Compromised contractors with excessive access

4. Persistence & Evasion [OR]

    4.1 Fileless Malware [OR]
    
        4.1.1 PowerShell/Cobalt Strike in-memory execution
        
        4.1.2 Linux rootkits (Symbiote, 2022)
        
    4.2 Cloud Backdoors [AND]
    
        4.2.1 Malicious Lambda functions (AWS)
        
        4.2.2 Hidden service accounts in Google Workspace

5. Counter-Forensics [OR]

    5.1 Log Manipulation [OR]
    
        5.1.1 SIEM poisoning (fake logs)
        
        5.1.2 Deleting AWS CloudTrail logs
        
    5.2 AI-Assisted Evasion [AND]
    
        5.2.1 AI-generated fake traffic (mimicking normal behaviour)
        
        5.2.2 Deepfake video calls to bypass MFA (2023+)

IP spoofing & DDoS amplification

Attack Pattern: Attackers forge source IP addresses to launch reflection/amplification attacks (e.g., using UDP-based protocols like DNS, NTP, or even TCP middlebox abuse).

Example (2022): The “APT28 TCP Amplification DDoS” abused misconfigured firewalls and load balancers to reflect SYN-ACK packets, generating multi-Tbps attacks against Ukrainian and Western targets.

Why It Works: Many networks still allow source IP spoofing due to weak BCP38 (anti-spoofing) enforcement.

Mitigation

  • Network-level filtering (BCP38/84) to block spoofed packets.

  • Cloud-based DDoS scrubbing (AWS Shield, Cloudflare Magic Transit).

BGP hijacking & route leaks

Attack Pattern: Attackers manipulate BGP routing to redirect traffic through malicious networks for interception or DoS.

Examples:

  • 2021: Russian ISP “DDoS-Guard” hijacked Western financial traffic.

  • 2023: A Chinese state-linked group rerouted US military traffic through China Telecom.

Why It Works: BGP lacks cryptographic authentication, making route manipulation easy.

Mitigation

  • RPKI (Resource Public Key Infrastructure) for route origin validation.

  • BGP monitoring (e.g., Cloudflare Radar, BGPMon).

IP fragmentation attacks (Teardrop, Ping of Death Revisited)

Attack Pattern: Exploiting fragmentation reassembly flaws in network stacks to crash systems.

Example (2023): A variant of Ping of Death resurfaced in IoT devices, causing kernel panics in Linux-based systems.

Why It Works: Some devices still mishandle overlapping fragments or malformed packets.

Mitigation

  • Patch systems (e.g., Linux net.ipv4.ipfrag_high_thresh tuning).

  • Stateful firewalls to drop malicious fragments.

ICMP ause (Smurf, flooding, covert channels)

Attack Pattern

  • ICMP floods (e.g., Smurf attacks) or ICMP tunneling for data exfiltration.

  • Example (2022): A Russian APT group used ICMP tunnels to bypass network monitoring in a cyber-espionage campaign.

Why It Works: Many networks allow unrestricted ICMP for diagnostics.

Mitigation

  • Rate-limiting ICMP at network edges.

  • Deep Packet Inspection (DPI) to detect tunneling.

IPv6 exploitation (Flooding, SLAAC attacks)

Attack Pattern

  • IPv6 DDoS: Attackers abuse large IPv6 neighbor discovery (ND) packets to overwhelm routers.

  • SLAAC Attacks: Spoofing IPv6 router advertisements (RAs) to hijack traffic.

Example (2023): A Mirai-variant botnet launched IPv6-based floods against ISPs.

Why It Works: Many networks lack IPv6 security controls.

Mitigation

  • RA Guard to block rogue IPv6 advertisements.

  • IPv6-specific DDoS protections (e.g., AWS Shield Advanced).

TTL expiry attacks (Resource exhaustion)

Attack Pattern: Attackers send packets with low TTL values, forcing routers to generate ICMP Time Exceeded messages, overwhelming infrastructure.

Example (2024): A cryptocurrency exchange was hit by a TTL-based attack, disrupting API services.

Why It Works: Many networks don’t rate-limit ICMP responses.

Mitigation

  • Rate-limiting ICMP Time Exceeded messages.

  • Filtering packets with TTL=1 at the edge.

Geolocation spoofing (Evasion & Censorship bypass)

Attack Pattern: Attackers fake IP geolocation to bypass geo-blocks or evade detection.

Example (2023): A ransomware group used cloud proxies to mask origins as legitimate US IPs.

Why It Works: Many geo-IP databases are outdated.

Mitigation

  • Strict ASN-based filtering (e.g., only allow traffic from known cloud providers).

  • behavioural analysis (unusual traffic patterns from “legit” IPs).

  • BGP Hijacking Remains Critical: State-sponsored groups abuse BGP for espionage.

  • IPv6 Attacks Rising: As adoption grows, so do IPv6-specific exploits.

  • Cloud & IoT Are Prime Targets: Attackers exploit weak default configurations.

  • Low-TTL & ICMP Attacks Resurging: Old tricks are being modernized.

Defence recommendations

For Networks:

  • Deploy RPKI + BGP monitoring.

  • Enforce strict anti-spoofing (BCP38).

  • Rate-limit ICMP & TTL expiry packets.

For Enterprises:

  • Use DDoS-protected cloud services.

  • Patch IP stack vulnerabilities (e.g., Linux kernel updates).

For Governments/Critical Infra: Mandate BGP security (MANRS compliance).

Emerging tech

  • Confidential Computing (for example Intel SGX, Azure Confidential VMs) to protect IP in use.

  • Post-Quantum Cryptography Prep (NIST’s CRYSTALS-Kyber for future-proofing).

Last update: 2025-07-28 11:18