Part 1: Link Layer Attacks
Part 2: Network Layer Attacks
Part 3: Transport Layer Attacks
Part 4: DNS Attacks
Part 5: DDoS Attacks

Network Layer: Routing and Misdirection

The Network layer determines how traffic travels from a source to a destination across multiple networks. This layer is where the Internet Protocol (IP) operates, along with routing protocols that let routers share information about network topology.
Because these protocols were built for cooperation, not security, they contain serious trust assumptions. Attacks here can misdirect traffic, intercept communications, or disconnect large parts of the Internet.

Router Vulnerabilities

Routers are the backbone of the network. They forward traffic toward its destination using routing tables that map IP address ranges to next hops. Compromised routers can misroute, intercept, or drop large volumes of traffic.

A router is a special-purpose computer. It runs an operating system, has administrative interfaces, and often provides other services such as Network Address Translation (NAT), DNS, or time synchronization. Like any computer, it can be attacked.

Denial-of-Service (DoS) Attacks

Routers have limited processing and memory resources. An attacker can overwhelm a router by sending large volumes of packets or malformed routing protocol messages that require CPU-intensive handling.

When overloaded, routers start to drop packets, making entire subnets or organizations unreachable. If a border router is affected, the result can be a complete outage for that network.

Route Table Poisoning

Some attacks inject false routing information into a router’s tables. If an attacker gains management access, they can modify routes directly. If they can exploit routing protocols, they may trick routers into learning fake paths.

This can redirect traffic through the attacker (a large-scale man-in-the-middle) or send it into non-existent “black holes,” causing denial of service.

Insecure Configurations

Many routers are shipped with default credentials such as admin/admin or root/password. Attackers can find these easily. Entire websites catalog them, such as portforward.com, router-network.com, and routerpasswords.com.

If administrators do not change defaults, any attacker who knows (or can guess) the model of the router can log in remotely. Leaving the management interface exposed to the Internet or failing to apply firmware updates adds further risk.

Defense Against Router Attacks

Change default credentials and enforce strong authentication.
Restrict management access to internal or trusted networks only.
Apply firmware updates regularly to patch known vulnerabilities.
Disable unnecessary services such as Telnet, UPnP, or HTTP management.
Monitor routing changes and alert on unusual configuration updates.

The Mirai botnet, which we discussed in the malware lecture, showed how widespread these weaknesses are. Mirai scanned for devices with default credentials, compromised hundreds of thousands of routers, and launched massive distributed denial-of-service (DDoS) attacks.

BGP Hijacking: Misdirecting Internet Traffic

The Internet is a network of networks. Each network is called an Autonomous System (AS) and is managed by an Internet Service Provider (ISP), a company, or a large organization. Autonomous Systems exchange routing information using the Border Gateway Protocol (BGP).
BGP tells other networks which IP address ranges an AS can reach and how to get there. Unfortunately, BGP has no built-in authentication, so routers accept route announcements on trust.

How BGP Route Selection Works

BGP determines the best path when multiple routes exist for the same destination. It applies a series of rules:

Prefer more specific prefixes:
A route to 192.0.2.0/25 (25 bits of network address = 32-25 = 7 bits of host addresses = 128 addresses) is preferred over 192.0.2.0/24 (256 addresses), even if it takes a longer path. This rule allows attackers to attract traffic simply by advertising a smaller subnet.
AS path length:
Among routes of equal specificity, shorter paths (fewer ASes) are preferred.
Other tie-breakers:
If two routes are still equally good, routers look at secondary settings such as local preferences or which connection seems more direct, and pick one based on those rules.

Because of this decision process, a malicious AS can override legitimate routes by announcing a more specific prefix. Without authentication, other networks have no way to verify who truly owns that address range.

What is a BGP hijack?

A BGP hijack occurs when a network—accidentally or intentionally—announces IP address ranges it does not control. Other routers believe the announcement and start sending traffic to the hijacker.
Once traffic arrives, the attacker can:

Black hole it: Drop all packets, causing a denial of service.
Intercept and forward it: Capture traffic before relaying it to the real destination (a large-scale man-in-the-middle).
Impersonate services: Host fake servers that appear legitimate to users.

Case Study: Pakistan Telecom and YouTube (2008)

Pakistan Telecom tried to block YouTube within Pakistan by advertising a more specific route (208.65.153.0/24) for YouTube’s IP addresses, which were normally announced as a /22.

That advertisement was forwarded throughout the global Internet. Because routers worldwide preferred the more specific /24, nearly all YouTube traffic was rerouted to Pakistan Telecom. The result: a worldwide YouTube outage for several hours.

This was not a deliberate attack but a configuration mistake that demonstrated BGP’s fragility. A single incorrect announcement from one AS can disrupt the global Internet.

Case Study: KLAYswap Cryptocurrency Theft (2022)

In February 2022, attackers hijacked routes to a content delivery network used by KLAYswap, a Korean cryptocurrency exchange. Users were redirected to malicious servers hosting fake versions of the web app. The attackers served modified JavaScript that stole credentials and cryptocurrency keys, leading to losses of about $1.9 million.

The attack lasted only a few hours but showed that BGP hijacking can be used not just for denial of service but for theft and fraud when combined with phishing and DNS manipulation.

Defending Against BGP Hijacking

Because BGP relies on trust, defenses add external validation layers and monitoring systems. None of these solutions is perfect, but together they make hijacking harder.

RPKI: Proving Route Ownership

The Resource Public Key Infrastructure (RPKI) system provides cryptographic proof of which Autonomous System is authorized to announce specific IP address ranges.
RPKI uses the same principles we saw with digital certificates and signatures.

Each Regional Internet Registry (RIR), such as ARIN or RIPE, acts as a certificate authority for the address blocks it allocates.
An organization that owns an IP block creates a Route Origin Authorization (ROA) stating which AS is allowed to announce it.
The ROA is digitally signed with the organization’s private key and can be verified with its public certificate.
Routers that support RPKI validation check incoming BGP announcements against the ROA database.
If an AS announces a prefix not authorized by a valid ROA, routers can reject or de-prioritize that route.

RPKI protects the origin of a route but not the path the route takes across the Internet.

BGPsec: Authenticating the Path

BGPsec extends RPKI by authenticating the entire path of a BGP advertisement using digital signatures.
Each AS in the path signs its part of the route using its private key. The signature covers the AS number, the advertised IP prefix, and the next AS in the chain.

For example, if AS1 advertises a route to AS2, then AS2 advertises it to AS3:

AS1 signs its announcement and sends it to AS2.
AS2 verifies AS1’s signature, then appends its own signature before forwarding it to AS3.
AS3 can verify both signatures, confirming that each AS in the path really participated.

This chain of signatures prevents attackers from inserting or removing ASes in the route.
BGPsec provides strong authentication but has two drawbacks:

It adds computational cost to sign and verify messages at line speed.
It requires all routers in the path to support BGPsec, which makes global deployment slow.

Why Deployment is Hard

Even though RPKI and BGPsec solve real problems, adoption has been slow. There are both technical and organizational barriers.

Scale and coordination: The Internet has over 75,000 autonomous systems, each managed by independent organizations. Deploying a cryptographic validation system requires consistent participation from all of them.
Legacy equipment: Many routers in use today cannot handle BGPsec’s cryptographic operations without hardware upgrades. Processing digital signatures on every route announcement adds latency and CPU load.
Operational risk: Misconfigured RPKI data (for example, incorrect ROAs) can cause legitimate routes to be rejected, leading to outages. Operators often prefer to accept some risk of hijacks rather than risk accidental downtime.
Policy concerns: Some network operators are reluctant to rely on RPKI because it introduces centralized trust in the Regional Internet Registries, which control the certificate hierarchy.
Incomplete coverage: RPKI validation helps only when both the announcing and receiving ASes use it. Partial adoption limits its effectiveness.

Despite these issues, deployment continues to increase as tools improve and major ISPs adopt validation by default. Like DNSSEC and HTTPS, routing security will likely evolve gradually over many years.

Other Defensive Practices

Even without full RPKI or BGPsec deployment, operators can improve security through careful policy:

Route filtering: Accept only expected prefixes from each peer.
Prefix length limits: Reject overly specific routes that look suspicious.
Reject own prefixes from outside sources: Prevent loops or spoofed announcements for your own addresses.
Monitoring and alerting: Use global BGP monitoring services to detect new or unexpected announcements in real time.
Incident coordination: Quickly notify upstream providers or peers if you detect or cause a misannouncement.

Network Layer Themes

Trust without authentication: BGP assumes honesty among peers. Without cryptographic verification, errors or abuse can spread globally.
Slow adoption of improvements: Protocol changes like RPKI and BGPsec need cooperation across thousands of networks, which slows deployment.
Limited visibility: Route changes happen all the time for legitimate reasons, making it hard to distinguish attacks from normal adjustments.
Defense in depth: No single fix suffices. Operators rely on a mix of authentication, filtering, and global monitoring to reduce the attack surface.

Key Takeaways

Routers are computers that can be compromised like any other. Secure configuration and patching are essential.
BGP’s trust-based design makes it vulnerable to both accidental and malicious route hijacks.
RPKI adds proof of who owns an IP prefix. BGPsec adds proof of how that prefix’s route traveled.
Both rely on the same public-key principles we have covered earlier: certificates, signatures, and verification.
Internet routing security depends on cooperation among thousands of independent organizations, so improvements happen gradually but steadily.

Networking Glossary (click to expand)

IPv4: The older Internet Protocol using 32-bit addresses (about 4.3 billion possible addresses).
IPv6: The newer Internet Protocol using 128-bit addresses, designed to solve IPv4 exhaustion.
MAC Address: A hardware address used on local networks (Layer 2).
Switch: A device that connects machines on a local network and forwards frames by MAC address.
Router: A device that forwards packets between different networks based on IP addresses.
Subnet: A portion of a network identified by a prefix such as 192.0.2.0/24.
Prefix: A block of IP addresses; BGP announcements operate on prefixes.
ARP (Address Resolution Protocol): Maps IPv4 addresses to MAC addresses on a local network.
NDP / Neighbor Discovery: IPv6’s replacement for ARP, used to learn link-layer addresses.
Default Gateway: The router a device uses to reach destinations outside its local subnet.
Autonomous System (AS): A network under the control of one organization that uses a shared routing policy.
AS Number (ASN): A unique number identifying an Autonomous System.
BGP (Border Gateway Protocol): The protocol that exchanges routing information between ASes.
Route Announcement: A BGP message stating that an AS can reach a particular IP prefix.
BGP Hijack: An unauthorized or incorrect route announcement that redirects traffic.
RPKI: A system that uses digital certificates to prove which AS may announce which prefix.
ROA (Route Origin Authorization): A signed statement listing which AS is authorized to originate a prefix.
BGPsec: An extension of BGP that signs each hop in the AS path to authenticate the route.
Black Hole: A routing outcome where traffic is dropped instead of delivered.
Man-in-the-Middle (MITM): An attack where the adversary intercepts, reads, or alters traffic.
Path Length: The number of ASes a route passes through; BGP prefers shorter paths when prefixes tie.
Prefix Specificity: More specific prefixes (for example, /25 vs. /24) take priority in BGP routing.

Network Security