The Internet is not one, homogeneous network. It is made up of various independent networks that are linked together. When traffic is flowing over the Internet, it will likely need to pass through multiple independent networks. The role of the Border Gateway Protocol (BGP) is to help identify a route for that traffic to move efficiently from source to destination.
The Internet is composed of a network of smaller networks where the smaller networks are large pools of routers run by a smaller organization. These smaller networks, called Autonomous Systems (AS), may be Internet Service Providers (ISP) or other large organizations; companies, government agencies, campuses, etc.
Each AS is assigned a unique ASN, which is a number that identifies the AS. An AS directly connects users to the Internet and provides connectivity or routes between other Autonomous Systems. When a network packet is being routed over the Internet, it can likely follow a variety of paths taking advantage of different links between ASNs. Ideally, it will select the shortest route; however, this is a difficult task when there are thousands of ASNs, and the map of the Internet shifts constantly.
This is why BGP is an important part of how the Internet functions. Via BGP, ASNs can advertise potential routes to various IP addresses or ranges, enabling routers to identify the most efficient route for a packet to take.
Each AS in the Internet is directly connected to a set of endpoints that likely sit within a certain IP address range. In BGP, each Autonomous System is responsible for collecting and communicating routing information with its peers — the ASNs that it is directly connected with — as network prefix announcements. For example, an AS will advertise that it is directly connected to certain IP addresses, is one hop away from others, and so on. Since every AS will communicate the routing information that it has received with its peers, this information will eventually percolate through the entire network. As a result, an ASN will learn network prefixes even for ASNs that it is not directly connected to.
With network prefix and hop information, an AS can then determine the best route to send traffic over the Internet. While multiple potential routes exist for each IP address, the AS will have the information required to make the best decision based on its core criteria, such as speed, reliability, cost, and other factors.
Often, discussions and applications of BGP refer to external BGP (eBGP). This involves using the protocol to identify potential routes for traffic to take between Autonomous Systems over the public Internet.
However, nothing about the underlying protocol makes it usable only for cross-AS traffic. An AS may elect to use BGP to route traffic within its network, a practice referred to as internal BGP (iBGP). The use of internal and external BGP are independent of one another. While external BGP is used on the Internet, an AS can choose from several protocols for internal routing.
BGP is one of the foundational protocols that make the Internet work. However, like many of these protocols, it can be vulnerable to attack or abuse.
BGP Hijacking
BGP largely works on the honor system. An AS advertises the network prefixes that it is directly connected to and its routes to other areas of the Internet. However, other ASes have limited means for verifying the accuracy of this information. In the past, some ASes have accidentally published incorrect network prefixes, which can increase network latency or make parts of the Internet inaccessible to other users.
This can also be done intentionally, a practice called BGP hijacking. A BGP hijacker can route Internet traffic through itself to carry out various attacks. For example, a BGP hijacker could perform a denial of service (DoS) attack by routing traffic through their systems and dropping connections. Alternatively, BGP hijacking has also been used in DNS hijacking attacks, where the attacker has redirected DNS queries and sent fake responses directing users to phishing sites.
DDoS Attacks
BGP works by having ASes publish routing information to their peers. These ASes process the information, update their internal tables, and pass the information on to their peers. This creates the opportunity for a Distributed DoS (DDoS) attack. The attackers create a fake advertisement that an AS is looking for updating routing information, causing a flood of traffic and data that can overwhelm the system.
BGP is a fundamental part of how the Internet works. Organizations can use BGP for routing both internally and externally. Gaia, the built-in operating system for Check Point next-generation firewalls (NGFWs), has integrated support for BGP and other dynamic routing protocols. BGP is also a core component of Check Point’s DDoS Protector. With BGP, Check Point can seamlessly route traffic to scrubbing centers to filter DDoS traffic and prevent an organization from being overwhelmed by an adversary. To learn more about choosing the right DDoS protection solution, read our DDoS Buyer’s Guide.