Stealth BGP hijacks with uRPF filtering

Unicast Reverse Path Forwarding (uRPF) is the primary and the standard Source Address Validation (SAV) mechanism to combat IP spoofing and mitigate Denial-of-Service (DoS) and other attacks. However, in this study, we reveal a critical and previously unexplored vulnerability in uRPF that adversaries can stealthily exploit through Border Gateway Protocol (BGP) hijacking. We introduce Stealthy BGP Attack against uRPF (SBA-uRPF), a novel attack vector that leverages prefix hijacking to manipulate uRPF filtering decisions, resulting in the unintended blocking of legitimate traffic and the facilitation of persistent DoS attacks. Due to its hidden nature, SBA-uRPF attacks could pose a significant and persistent security risk.
Through extensive simulation-based analysis, we demonstrate that 99.3% of networks are vulnerable to SBA-uRPF under a full deployment of uRPF, with a potential maximum impact affecting over 59,115 networks (76.3%). Unlike conventional BGP hijacks, which often result in noticeable routing anomalies, SBA-uRPF remains undetectable to the affected networks, making it a particularly dangerous threat. The attack exploits BGP routing loop prevention and customer-preferred routing policies to induce widespread traffic blackholing of victim networks. We show that adversaries can also target fundamental Internet systems, such as DNS, or Internet services, like the web.
Our findings reveal a fundamental weakness in the global routing ecosystem, where a security mechanism designed to prevent attacks can be subverted and turned into an attack vector. We discuss countermeasures, including improvements to BGP security mechanisms such as Route Origin Validation (ROV) and BGPsec. We also consider the challenges in mitigating SBA-uRPF in real-world deployments, and the need for more comprehensive approaches, including solutions involving deployment strategies for uRPF.