1

I am an operator of some public service which is run on some OVH's VPS.

Recently I was contacted by an anonymous contact, who suggested that the service was BGP-hijacked and some sensitive info of users may have been leaked (although all passwords, even if leaked, should be SCRAM'd).

Am I able to do anything to prevent BGP hijacking in the future?

Neurotransmitter
  • 141
  • 4

2 Answers2

4

Am I able to do anything to prevent BGP hijacking in the future?

As a client of OVH, you cannot prevent BGP hijacking -- this is more the responsibility of OVH's network administrators. However, you may be able to mitigate the risk by using appropriate security on your network services. For instance, if you are running a web site on your VPS, you can (and should) use TLS to protect traffic to your site.

  • If you succesfully hijack a BGP prefix, you could then request a SSL certificate for it using services like Let's Encrypt. So the protection there is minimal, unless you'd combine it with DANE (and people would actively check for those records). – Teun Vink Mar 26 '18 at 22:23
  • @TeunVink I wouldn't say the protection is _minimal_. Issuing a TLS certificate takes more time than simply intercepting requests, and leaves a trail in CT logs. And even that risk can be mitigated using CAA records. –  Mar 26 '18 at 23:40
  • Well, seems like I need to research DANE and CAA, thanks for the tip. The server does have a website with a good encryption by the way. – Neurotransmitter Mar 27 '18 at 08:42
2

While you cannot prevent BGP hijacking as a mere owner of an IP, you can improve your ability to detect it. There are various network monitoring services which monitor the routing behavior and compare the observed behavior with the correct behavior of multiple routers that are relevant to the IP which you want to protect. These services can alert you when such an attack is suspected.

A few examples of such services are Cyclops, Routeviews, and BGPmon.

forest
  • 64,616
  • 20
  • 206
  • 257