Asia's Source for Enterprise Network Knowledge

Friday, March 31st, 2017


Fixing the Internet's routing security is urgent and requires collaboration

The Internet is fragile. Many of its protocols were designed at a time when the goal was rapid network expansion based on trust among operators. Today, the Internet's open nature is what makes it so great for business, education and communication, but the absence of security mechanisms at its core is something that criminals are eager to exploit.

In late January, traffic to many IP (Internet Protocol) addresses of the U.S. Marine Corps was temporarily diverted through an ISP in Venezuela. According to Doug Madory, director of Internet analysis at Dyn, such routing leaks occur almost on a daily basis and while many of them are accidents, some are clearly attempts to hijack Internet traffic.

Another frequent occurrence is the hijacking of dormant or unused IP address spaces. Known as IP address squatting, this technique is preferred by email spammers who need blocks of IP addresses that haven't already been blacklisted by spam filters.

To pull off such attacks, spammers need to find ISPs that will accept their fraudulent routing advertisements without too much scrutiny. In early February, the anti-spam outfit Spamhaus reported that Verizon Communications was routing over 4 million IP addresses hijacked by criminals, putting it in the top 10 list of ISPs worldwide who route spam traffic.

The abuses don't stop there. The User Datagram Protocol (UDP), which is widely used in Internet communications, is particularly vulnerable to source address spoofing. This allows attackers to send data packets that appear to originate from other people's IP addresses.

The weakness has been increasingly exploited in recent years to launch crippling and hard-to-trace distributed denial-of-service (DDoS) attacks. DDoS reflection, as the technique is known, involves attackers sending requests with spoofed addresses to misconfigured servers on the Internet. This forces those servers to send their responses to the spoofed addresses instead of the true IP addresses from where the requests originated.

This hides the source of malicious traffic, but can also have an amplification effect if the generated responses are larger than the requests that triggered them. By using reflection against servers that run UDP-based services like DNS (Domain Name System), mDNS (multicast DNS), NTP (Network Time Protocol), SSDP (Simple Service Discovery Protocol), SNMP (Simple Network Management Protocol) and others, attackers can generate tens or hundreds of times more traffic than they could otherwise.

All of these problems require a high level of cooperation among network operators to fix because, unlike other industries, the Internet has no central governing body that could force ISPs to implement routing security measures.
The Internet Society (ISOC), an international non-profit organization that advances Internet-related standards, education and policy, strongly believes that tackling security issues is a shared responsibility that requires a collaborative approach. As such, in late 2014, the organization, together with nine network operators, launched an initiative called MANRS, or Mutually Agreed Norms for Routing Security.

Network operators who choose to participate in the MANRS program commit to implementing various security controls in order to prevent the propagation of incorrect routing information through their networks, prevent traffic with spoofed source IP addresses and facilitate the validation of routing information globally.