Security Scene: a Taste of Border Gateway Protocol Hijacking
Internet routing is amazing when you think about it. Killing time waiting for an elevator with a smartphone presents endless options for serious news or cat videos within mere milliseconds due to the magic of traffic engineering. At its core, Internet routing is essentially simple and has changed very little in 20 years. As a result, however, networks have become more susceptible to malicious behavior. A global initiative, Mutually Agreed Norms for Routing Security (MANRS), aims to quell the potential for attacks by taking on security as a shared responsibility.
Traffic is routed around the Internet using the Border Gateway Protocol (BGP). BGP advertisements from routers tell your immediate neighbor networks how reachable your network is. Neighbor networks accept the message as a fact and add it to their router and so on and so on. This chain of announcements forms the topology of the Internet. But no easy way exists to check the integrity of the announcements and that’s where the trouble begins.
You might already guess that a lack of checks and balances in verifying announced addresses holds the potential for inadvertent “fat fingering” of incorrect information, or for intentional abuse. One attack on the rise is a BGP hijack, in which case a network announces the wrong route to a specific destination.
In many cases, it’s an accident such as a typo. In other cases, networks intentionally announce a wrong BGP route to hijack traffic meant for networks owned by financial services or government entities. Traffic meant for those targets flow through the owner of the malicious network, which sniffs content or carries out attacks.
In December 2017, for example, traffic sent to and from Google, Facebook, Apple, and Microsoft was routed through a previously unknown Russian Internet provider. A similar incident in April 2017 routed traffic for Visa and Mastercard through a Russian government network. The most famous one was back in 2008 when Pakistan Telecom took YouTube offline accidentally.
CIOs, CISOs, and IT staff face a constant barrage of things to add to their “to do” list for making systems more secure. Preventing BGP hijacking may seem like just one more thing to add to the list. However, implementing MANRS is relatively easy and provides immense benefits to the entire R&E community.
It entails four activities:
- Coordination. All you need to do is update your network contact information!
- Filtering. You define a clear routing policy and implement a system that ensures correctness of your own announcements and announcements from your customers.
- Anti-Spoofing. Enable source address validation.
- Global Validation. Publish your data, so others can validate routing information on a global scale.
The more members of the community that follow these actions, the more secure we can enable R&E networks.
Internet2 is in the process of implementing MANRS. Several regional networks and campuses, as well as our collaborators at ESnet, have also committed to it. Can your campus or regional network help R&E networks become more secure?
Visit www.manrs.org to learn more details about what it takes to become a MANRS participant. And pencil in our routing security workshop on Monday, October 15 during TechEX in Orlando to learn more about how others have implemented MANRS!