Hello! We got a question while developing wallet project on ICP.
Is the ICP subject to BGP attacks that have happened in the crypto space before?
Like, is it possible for a hacker to route the IP address of abccanister.icp1.io to his own IP address?
And can he perform an attack on user asset or redirect a user Passkey login to his own frontend?
Hey @w3tester
Yes, in principle the Internet Computer (and any Internet service) can be affected by BGP hijacks. Not even the big players such as Google/Cloudflare are immune to them.
Practically, pulling off a successful attack against an ICP-hosted canister frontend is significantly harder than “hijack one IP and you’re in”, because of:
The IC’s HTTP gateways and API boundary nodes are hosted in many different DCs/ASes with many different IP addresses across the entire world. For an attack, it is not enough to just hijack the BGP route to a single HTTP gateway/API BN, but one needs to hijack at least an entire region.
Even if traffic for abccanister.icp1.io is routed to the attacker’s host, browsers will reject the connection unless the attacker also presents a valid TLS certificate for that domain. An attempt to create an additional TLS certificate will be visible in the certificate transparency logs.