The Internet Society is expanding its Mutually Agreed Norms for Routing Security (MANRS) initiative from just autonomous systems (AS) networks to include internet exchange points (IXPs).
With its purpose to bring basic security to internet routing, MANRS was launched in 2014 with 9 founding members. Since its launch it has grown to 56 members, out of a total of around 60,000 ASs on the internet. Andrei Robachevsky, the Internet Society’s technology program manager, told SecurityWeek that the immediate target is between 700 and 800 actively conforming members. Since about 80% of all networks are stub networks with no knowledge of other networks, Robachevsky believes that 700 or 800 of the remaining networks will be enough to provide the tipping point necessary to seriously improve internet routing security.
It is currently a major problem. Each AS ‘announces’ its customers to other networks so that traffic can reach its intended destination. The protocol used is border gateway protocol (BGP) — but this was developed in the mid-1990s for resilience, simplicity and ease of deployment. It has no built-in security of its own. There is nothing in the protocol to tell one network that what it hears from another network is true or false. There are out-of-band authoritative databases that can verify the information, but since this data is incomplete, it is not often used.
This basic lack of routing verification between different ASs is the root cause of both accidental and malicious internet routing problems. There are three primary issues: route hijacking, IP Address spoofing, and route leaks — and it is worth noting that there were 14,000 internet routing issues in 2017 alone.
The classic example of route hijacking occurred in 2008, when YouTube became unavailable for around 2 hours. It is often that that this was an intentional accident: the intent existed, but the full effect wasn’t expected. Pakistan Telecom announced that YouTube was a customer. Without verifying this announcement, its upstream provider PCCW forwarded the announcement to the rest of the world. The result was that all traffic intended for YouTube was instead sent to Pakistan Telecom.
In April 2017, Robachevsky wrote in an Internet Society blog, “Large chunks of network traffic belonging to MasterCard, Visa, and more than two dozen other financial services companies were briefly routed through a Russian telecom. For several minutes, Rostelecom was originating 50 prefixes for numerous other Autonomous Systems, hijacking their traffic.”
IP address spoofing can be used for different malicious purposes. One of the most dramatic is a reflection/amplification DDoS attack. The attacker spoofs the address of the target, and then uses amplification and reflection to direct large amounts of data at the victim. This year, memcached has been used to amplify DDoS attacks sufficient to set new records — first at 1.3Tbps and then within days at 1.7Tbps.
If a sufficient number of ASs adopt the MANRS principles, then reflection/amplification DDoS attacks will simply cease to be a problem because address spoofing will be recognized and refused.
Route leaks can occur when a network accidentally announces the wrong information. Dyn described an example in 2014. “When a transit customer accidentally announces the global routing table back to one of its providers, things get messy. This is what happened earlier today and it had far-reaching consequences.” In this instance it caused disruptions in traffic “in places as far-flung from the USA as Pakistan and Bulgaria.”
MANRS seeks to get network providers to comply with just four basic principles: to filter announcements to ensure their accuracy; to prevent IP address spoofing; to improve coordination between networks; and for each network to ensure that its own part of the global validation network is accurate. The problem now is for the Internet Society to expand the MANRS community membership from just 56 to the 700 or 800 — Robachevsky’s tipping-point — to really make a difference.
To achieve this, the Internet Society has today launched the MANRS IXP program with ten founding IXP members. The hope is that IXPs — some of which have as many as 600 ASs connecting with them — will contribute directly to improving routing security while also acting as ambassadors for the program.
“If we can get them on board as ambassadors to promote MANRS within their communities,” commented Robachevsky, “it becomes a great way to scale up. But they can also tangibly contribute to routing security. They run so-called route servers. Instead of asking everyone to connect to everyone, each of their members can just connect to the IXP’s proxy network for routing information. This means that the route server itself can do the validation since each route server already knows its user networks. Filters installed here can recognize misconfigured or false announcements and can just drop incorrect announcements. If this happens, we’re creating a very secure peering environment which is a big step to overall internet routing security.”
The difficulty for the Internet Society is that signing up to MANRS — either as an individual AS or as an IXP — does nothing to protect the member directly. It helps to protect other networks, and each network is really reliant on other networks protecting them. To make it as easy as possible for IXPs to join the program, there are only three requirements: two essential requirements and at least one from three optional requirements.
The essential commitments are to facilitate the prevention of the propagation of incorrect routing information, and to promote MANRS to the IXP’s own membership. The three optional commitments (each IXP must commit to at least one of them) are, to protect the peering platform, to facilitate global operational communication and coordination between network operators, and to provide monitoring and debugging tools to members.
“The founding participants of the MANRS IXP Program understand the importance of having a more resilient and secure Internet routing system,” said Robachevsky. “The IXP community is integral to the Internet ecosystem and by joining MANRS, they are joining a community of security-minded network operators committed to making the global routing infrastructure more secure.”
If PCCW had implemented MANRS, then the Pakistan Telecom hijack of YouTube could not have happened. If PCCW had not implemented MANRS, but IXPs had done so, then the hijack would have been stopped at the peering points.