Fixing the Internet’s routing security is urgent, requiring collaboration
29 February 2016 | 0
The Internet is fragile. Many of its protocols were designed at a time when the goal was rapid network expansion based on trust among operators. Today, the Internet’s open nature is what makes it so great for business, education and communication, but the absence of security mechanisms at its core is something that criminals are eager to exploit.
In late January, traffic to many Internet Protocol (IP) addresses of the US Marine Corps was temporarily diverted through an ISP in Venezuela. According to Doug Madory, director of internet analysis at Dyn, such routing leaks occur almost on a daily basis and while many of them are accidents, some are clearly attempts to hijack internet traffic.
Another frequent occurrence is the hijacking of dormant or unused IP address spaces. Known as IP address squatting, this technique is preferred by email spammers who need blocks of IP addresses that haven’t already been blacklisted by spam filters.
To pull off such attacks, spammers need to find ISPs that will accept their fraudulent routing advertisements without too much scrutiny. In early February, the anti-spam outfit Spamhaus reported that Verizon Communications was routing over 4 million IP addresses hijacked by criminals, putting it in the top 10 list of ISPs worldwide who route spam traffic.
The abuses do not stop there. The User Datagram Protocol (UDP), which is widely used in internet communications, is particularly vulnerable to source address spoofing. This allows attackers to send data packets that appear to originate from other people’s IP addresses.
The weakness has been increasingly exploited in recent years to launch crippling and hard-to-trace distributed denial-of-service (DDoS) attacks. DDoS reflection, as the technique is known, involves attackers sending requests with spoofed addresses to misconfigured servers on the Internet. This forces those servers to send their responses to the spoofed addresses instead of the true IP addresses from where the requests originated.
This hides the source of malicious traffic, but can also have an amplification effect if the generated responses are larger than the requests that triggered them. By using reflection against servers that run UDP-based services like Domain Name System (DNS), multicast DNS (mDNS), Network Time Protocol (NTP), Simple Service Discovery Protocol (SSDP), Simple Network Management Protocol (SNMP) and others, attackers can generate tens or hundreds of times more traffic than they could otherwise.
High level cooperation
All of these problems require a high level of cooperation among network operators to fix because, unlike other industries, the Internet has no central governing body that could force ISPs to implement routing security measures.
The Internet Society (ISOC), an international non-profit organisation that advances Internet-related standards, education and policy, strongly believes that tackling security issues is a shared responsibility that requires a collaborative approach. As such, in late 2014, the organisation, together with nine network operators, launched an initiative called Mutually Agreed Norms for Routing Security (MANRS).
Network operators who choose to participate in the MANRS programme commit to implementing various security controls in order to prevent the propagation of incorrect routing information through their networks, prevent traffic with spoofed source IP addresses and facilitate the validation of routing information globally.
Over the past year, the programme has grown steadily, the number of participants now reaching 40. ISOC hopes that MANRS membership will become a badge of honour or a quality mark that networks operators will strive to obtain in order to differentiate themselves from the competition.
Whether the volunteer-based approach is enough for the programme to continue growing remains to be seen. But if it gains enough traction and becomes large enough, ISPs who are not interested in joining now might be pushed by market forces in the future. For example if three Internet providers compete for a project, and only one of them is MANRS-compliant, the customer might choose the MANRS member because it ostensibly cares more about security.
There are network operators in countries like China or Russia that do a fair amount of business by offering services to cybercriminals. Such companies would probably not want to implement these security measures, but if MANRS grows large enough, they might find themselves isolated and unable to find uplink providers to carry their traffic internationally.
Implementing the MANRS recommendations, which are based on existing industry best practices, can have some short-term costs for ISPs, but according to ISOC, that’s probably not the reason why many of them have failed to implement them. The bigger problem, the organisation believes, is a lack of awareness about these problems or not having the expertise to fix them.
The methods through which routing leaks and IP address spoofing can be dealt with are diverse and currently documented in different places across the Internet. That is why ISOC and the MANRS members are working on a Best Current Operational Practices (BCOP) document that will bring those recommendations together and provide clear guidance for their implementation.