Internet newspaper

Fixing the Internet’s routing security is urgent, requiring collaboration

Pro
Image: Stockfresh

29 February 2016

The goal is to assist the small, regional ISPs with adopting these measures, because they make up around 80% of the Internet, said Andrei Robachevsky, ISOC’s technology program manager.

If these ISPs were to start validating the routing announcements of their own customers, there would be a much smaller chance that rogue announcements would reach the global routing system.

Another thing that the MANRS members will be working on in 2016 is a set of compliance tests to ensure that new potential members have indeed achieved the program’s goals and that they remain compliant over time. One example of such a test is with a tool called Spoofer that checks if a network allows IP spoofing or not. MANRS participants could run this tool inside their networks periodically and report the results back.

Incentives
Creating more incentives for ISPs to join the programme is also an important issue that ISOC and the existing MANRS members are discussing. For example, some participants are considering including MANRS requirements in their peering arrangements or offering higher bandwidth peering only to MANRS-compliant network operators, Robachevsky said.

At this stage, however, the programme is growing primarily by identifying and co-opting ISPs who are industry leaders from a security perspective. These are ISPs that have already implemented all of these protections on their own, independently of MANRS, he said.

It is unlikely that the MANRS recommendations will ever be adopted by all of the world’s network operators and unfortunately some attacks, like DDoS reflection, will not completely disappear without widespread implementation of anti-IP spoofing measures. However, even if MANRS succeeds in creating only small, but safe neighbourhoods on the Internet, it would reduce the problem.

Imagine a cybercriminal group that has access to 1,000 infected computers from around the world that are organised in a botnet. If they get a list of 1,000 misconfigured DNS or NTP servers, they could abuse those servers to amplify the traffic they could otherwise generate from those 1,000 computers by using the DDoS reflection technique.

However, if 20% of those infected computers were located within networks that prevent IP spoofing, the attackers wouldn’t be able to use them for DDoS reflection at all, because their spoofed requests would be blocked by their ISPs and would never reach the vulnerable DNS or NTP servers.

Fortunately, the MANRS proposals will be beneficial in incremental deployments, said Danny Cooper, a security researcher at Akamai. “Even if not everyone on the Internet is participating and there’s only a partial uptake, it still reduces the places on the Internet that certain attacks can be launched from.”

Defence techniques
The defence techniques proposed by MANRS are by no means perfect, and there are some techniques to partially evade them, but overall they force attackers to reduce the scope of their attacks, Cooper said.

MANRS represents a collection of pretty smart network operators that got together and came up with some best practices to improve the state of Internet routing, said Dyn’s Madory. “Regardless of whether it gains adoption by all ISPs, it’s certainly the right thing do. We should try to capture all the lessons learned from the various network engineers around the world and advocate for their implementation.”

After all, perfect or not, there are not many alternatives to this kind of industry self-regulation. Attacks will only get worse with the passing of time and if nothing is done, there is a danger that national governments could intervene with legislation that will endanger the openness of the Internet. The fragmentation of the Internet is already happening to some extent due to political, economic, religious and other reasons.

The good news is that the number of network operators who are implementing anti-spoofing and route hijacking protections is growing. According to the Worldwide Infrastructure Security Report released by DDoS mitigation provider Arbor Networks in January, an estimated 44% of ISPs have implemented anti-spoofing filters. This is up from 37% in 2014. In addition, 54% now also monitor for route hijacks, compared to 40% in 2014. The report is based on a survey of 354 global network operators.

“There’s still a lot of room for improvement, obviously, but we are seeing numbers trending in the right direction,” said Gary Sockrider, principal security technologist at Arbor Networks.

According to Sockrider, during the past year Arbor Networks has observed a huge growth in both the number and size of DDoS reflection/amplification attacks, across many protocols.

“I applaud the efforts of any organisation, including the MANRS initiative, to improve security, make networks more resilient and stop things like IP address spoofing,” Sockrider said. “I truly think that’s important and I fully support it.”

 

 

IDG News Service

Read More:


Back to Top ↑

TechCentral.ie