Manners maketh man, as the saying goes, and MANRS could soon maketh networks.Attackers continue to exploit weakness in the way Border Gateway Protocol
Manners maketh man, as the saying goes, and MANRS could soon maketh networks.
Attackers continue to exploit weakness in the way Border Gateway Protocol (BGP) servers exchange routing information to hijack routes and use spoofed IP addresses. But the Internet Society, or ISOC, has expanded its efforts to cut down on those attacks through the expansion of its Mutually Agreed Norms for Routing Security (MANRS) initiative to include a new program aimed at internet exchange points (IXPs).
The new program was announced just a day before the latest high-profile BGP routing security incident, in which unknown attackers hijacked routes to cryptocurrency wallet provider MyEtherWallet and stole over $150,000 worth of the Ethereum cryptocurrency.
In its announcement, ISOC noted the scale of the problems with routing.
“Routing security is vital to the future and stability of the internet. In 2017 alone, 14,000 routing outages or incidents — such as hijacking, leaks, spoofing and large-scale Denial of Service (DoS) attacks — led to stolen data, lost revenue, reputational damage and more,” ISOC wrote. “MANRS addresses these threats through technical and collaborative action across the internet. The security of the internet as a whole depends on routing security.”
The MANRS initiative addresses vulnerabilities in the internet routing system that, when exploited, allow an attacker to impersonate a network and attract network traffic intended for that network, said Andrei Robachevsky, technology program manager for ISOC. MANRS practices are also aimed at eliminating route leaks. In those incidents, a network operator “announces a network prefix learned from another provider, injecting itself in the path of traffic destined to this network” and traffic with spoofed source IP addresses, which Robachevsky said “is the root cause of volumetric reflection and amplification attacks.”
The objective of the MANRS program is to “provide guidance to network operators in addressing issues of security and resilience of the global internet routing system,” according to the MANRS program site. “Another important goal is to document the commitment of industry leaders to address these issues, which should amplify the impact as more supporters join.”
The MANRS program was launched in 2014 by, and for, members of the network operator community to promote “security and resilience of the global routing system.” Network operators generally include internet and other communication service providers that participate in the global internet routing infrastructure. IXPs are physical exchange points where network operators are able to exchange traffic between internet service providers (ISPs); they may be operated by for-profit or not-for-profit enterprises, by educational or government agencies, or by network groups.
The MANRS for IXP program launched with 10 internet exchange points participating out of 630 IXPs registered in the PeeringDB, a public database of peering networks, according to Robachevsky.
“The 10 founding participants include several of the biggest IXPs by number of members and traffic volume,” he said, adding that “the program is also starting with good global coverage — Africa, Europe, Latin and North America, taking into account that IXP memberships overlap. The aspiration is, of course, that this becomes a norm for every IXP and all of them join, but it is hard to say what is the tipping point. What is important at this stage is the uptake, the dynamics of the growth of this program.”
Norms for routing security
The MANRS initiative calls on network operators — and IXPs — to take four concrete actions that can reduce the threat of route hijacking, route leaking and use of spoofed IP addresses. The MANRS program calls for entities involved in internet routing to take these actions:
- Prevent propagation of incorrect routing information. The most important action for protecting routing security is to use explicit prefix-level filters to ensure inbound routing advertisements are correct.
- Prevent traffic with spoofed IP source addresses. Network operators and IXPs are expected to enable source address validation and use antispoofing filtering to avoid forwarding packets with spoofed source IP addresses.
- Promote communication and cooperation among network operators. MANRS calls for all network operators to maintain contact information and keep it up to date.
- Validate routing information on a global scale. MANRS calls for network operators to publicly document their routing policies, as well as the BGP routing networks and network address prefixes for which they route.
BGP hijacking and related security issues have plagued enterprises for many years. In addition to the MyEtherWallet incident, which involved threat actors hijacking Amazon Web Services’ domain-name-system traffic, there have been other similar attacks in recent years. In 2014, Dell researchers reported hackers had used BGP hijacking to reroute traffic from nearly 20 ISPs in order to steal bitcoin. Last year, traffic from technology giants such as Apple, Facebook, Google and Microsoft was rerouted to a small ISP in Russia.