[AusNOG] FYI: MANRS Project - Fixing the Internet's routing security is urgent and requires collaboration

[Narelle]

Fixing the Internet's routing security is urgent and requires collaboration

A volunteer participation program for ISPs to prevent route hijacks and IP
spoofing is gaining some traction

Lucian Constantin http://www.pcworld.com/author/Lucian-Constantin/

IDG News Service

Feb 26, 2016 10:44 AM

The Internet is fragile. Many of its protocols were designed at a time when
the goal was rapid network expansion based on trust among operators. Today,
the Internet's open nature is what makes it so great for business,
education and communication, but the absence of security mechanisms at its
core is something that criminals are eager to exploit.

In late January, traffic to many IP (Internet Protocol) addresses of the
U.S. Marine Corps was temporarily diverted through an ISP in
Venezuela. According to Doug Madory, director of Internet analysis at Dyn,
such routing leaks occur almost on a daily basis and while many of them are
accidents, some are clearly attempts to hijack Internet traffic.

Another frequent occurrence is the hijacking of dormant or unused IP
address spaces. Known as IP address squatting, this technique is preferred
by email spammers who need blocks of IP addresses that haven't already
been blacklisted by spam filters.

To pull off such attacks, spammers need to find ISPs that will accept their
fraudulent routing advertisements without too much scrutiny. In early
February, the anti-spam outfit Spamhaus reported that Verizon
Communications was routing over 4 million IP addresses hijacked by
criminals, putting it in the top 10 list of ISPs worldwide who route spam
traffic.

The abuses don't stop there. The User Datagram Protocol (UDP), which is
widely used in Internet communications, is particularly vulnerable to
source address spoofing. This allows attackers to send data packets that
appear to originate from other people's IP addresses.

The weakness has been increasingly exploited in recent years to launch
crippling and hard-to-trace distributed denial-of-service (DDoS) attacks.
DDoS reflection, as the technique is known, involves attackers sending
requests with spoofed addresses to misconfigured servers on the Internet.
This forces those servers to send their responses to the spoofed addresses
instead of the true IP addresses from where the requests originated.

This hides the source of malicious traffic, but can also have an
amplification effect if the generated responses are larger than the
requests that triggered them. By using reflection against servers that run
UDP-based services like DNS (Domain Name System), mDNS (multicast DNS), NTP
(Network Time Protocol), SSDP (Simple Service Discovery Protocol), SNMP
(Simple Network Management Protocol) and others, attackers can generate
tens or hundreds of times more traffic than they could otherwise.

All of these problems require a high level of cooperation among network
operators to fix because, unlike other industries, the Internet has no
central governing body that could force ISPs to implement routing security
measures.

The Internet Society (ISOC), an international non-profit organization that
advances Internet-related standards, education and policy, strongly
believes that tackling security issues is a shared responsibility that
requires a collaborative approach
http://www.internetsociety.org/collaborativesecurity. As such, in late
2014, the organization, together with nine network operators, launched an
initiative called MANRS https://www.routingmanifesto.org/manrs/, or
Mutually Agreed Norms for Routing Security.

Network operators who choose to participate in the MANRS program commit to
implementing various security controls in order to prevent the propagation
of incorrect routing information through their networks, prevent traffic
with spoofed source IP addresses and facilitate the validation of routing
information globally.

Over the past year, the program has grown steadily, the number of
participants now reaching 40. ISOC hopes that MANRS membership will become
a badge of honor or a quality mark that networks operators will strive to
obtain in order to differentiate themselves from the competition.

Whether the volunteer-based approach is enough for the program to continue
growing remains to be seen. But if it gains enough traction and becomes
large enough, ISPs who are not interested in joining now might be pushed by
market forces in the future. For example if three Internet providers
compete for a project, and only one of them is MANRS-compliant, the
customer might choose the MANRS member because it ostensibly cares more
about security.

There are network operators in countries like China or Russia that do a
fair amount of business by offering services to cybercriminals. Such
companies would probably not want to implement these security measures, but
if MANRS grows large enough, they might find themselves isolated and unable
to find uplink providers to carry their traffic internationally.

Implementing the MANRS recommendations, which are based on existing
industry best practices, can have some short-term costs for ISPs, but
according to ISOC, that's probably not the reason why many of them have
failed to implement them. The bigger problem, the organization believes,
is a lack of awareness about these problems or not having the expertise to
fix them.

The methods through which routing leaks and IP address spoofing can be
dealt with are diverse and currently documented in different places across
the Internet. That's why ISOC and the MANRS members are working on a Best
Current Operational Practices (BCOP) document that will bring those
recommendations together and provide clear guidance for their
implementation.

The goal is to assist the small, regional ISPs with adopting these
measures, because they make up around 80 percent of the Internet, said
Andrei Robachevsky, ISOC’s technology program manager.

If these ISPs were to start validating the routing announcements of their
own customers, there would be a much smaller chance that rogue
announcements would reach the global routing system.

Another thing that the MANRS members will be working on in 2016 is a set of
compliance tests to ensure that new potential members have indeed achieved
the program's goals and that they remain compliant over time. One example
of such a test is with a tool called Spoofer that checks if a network
allows IP spoofing or not. MANRS participants could run this tool inside
their networks periodically and report the results back.

Creating more incentives for ISPs to join the program is also an important
issue that ISOC and the existing MANRS members are discussing. For example,
some participants are considering including MANRS requirements in their
peering arrangements or offering higher bandwidth peering only to
MANRS-compliant network operators, Robachevsky said.

At this stage, however, the program is growing primarily by identifying and
co-opting ISPs who are industry leaders from a security perspective. These
are ISPs that have already implemented all of these protections on their
own, independently of MANRS, he said.

It's unlikely that the MANRS recommendations will ever be adopted by all of
the world's network operators and unfortunately some attacks, like DDoS
reflection, will not completely disappear without widespread implementation
of anti-IP spoofing measures. However, even if MANRS succeeds in creating
only small, but safe neighborhoods on the Internet, it would reduce the
problem.

Imagine a cybercriminal group that has access to 1,000 infected computers
from around the world that are organized in a botnet. If they get a list of
1,000 misconfigured DNS or NTP servers, they could abuse those servers to
amplify the traffic they could otherwise generate from those 1,000
computers by using the DDoS reflection technique.

However, if 20 percent of those infected computers were located within
networks that prevent IP spoofing, the attackers wouldn't be able to use
them for DDoS reflection at all, because their spoofed requests would be
blocked by their ISPs and would never reach the vulnerable DNS or NTP
servers.

Fortunately, the MANRS proposals will be beneficial in incremental
deployments, said Danny Cooper, a security researcher at Akamai. "Even if
not everyone on the Internet is participating and there's only a partial
uptake, it still reduces the places on the Internet that certain attacks
can be launched from."

The defense techniques proposed by MANRS are by no means perfect, and there
are some techniques to partially evade them, but overall they force
attackers to reduce the scope of their attacks, Cooper said.

MANRS represents a collection of pretty smart network operators that got
together and came up with some best practices to improve the state of
Internet routing, said Dyn's Madory. "Regardless of whether it gains
adoption by all ISPs, it's certainly the right thing do. We should try to
capture all the lessons learned from the various network engineers around
the world and advocate for their implementation."

After all, perfect or not, there aren't many alternatives to this kind of
industry self-regulation. Attacks will only get worse with the passing of
time and if nothing is done, there is a danger that national governments
could intervene with legislation that will endanger the openness of the
Internet. The fragmentation of the Internet is already happening to some
extent due to political, economic, religious and other reasons.

The good news is that the number of network operators who are implementing
anti-spoofing and route hijacking protections is growing. According to the
Worldwide Infrastructure Security Report released by DDoS mitigation
provider Arbor Networks in January, an estimated 44 percent of ISPs have
implemented anti-spoofing filters. This is up from 37 percent in 2014. In
addition, 54 percent now also monitor for route hijacks, compared to 40
percent in 2014. The report is based on a survey of 354 global network
operators.

"There's still a lot of room for improvement, obviously, but we are seeing
numbers trending in the right direction," said Gary Sockrider, principal
security technologist at Arbor Networks.

According to Sockrider, during the past year Arbor Networks has observed a
huge growth in both the number and size of DDoS reflection/amplification
attacks, across many protocols.

"I applaud the efforts of any organization, including the MANRS initiative,
to improve security, make networks more resilient and stop things like IP
address spoofing," Sockrider said. "I truly think that's important and I
fully support it."

________________________________

Olaf M. Kolkman
Chief Internet Technology Officer Internet Society

e-mail: kolkman at isoc.org
LinkedIn:OlafKolkman
Twitter: @Kolkman

________________________________


From:


   - ITWorld
   <http://www.itworld.com/article/3038713/fixing-the-internets-routing-security-is-urgent-and-requires-collaboration.html>
   - PCWorld
   <http://www.pcworld.com/article/3038714/fixing-the-internets-routing-security-is-urgent-and-requires-collaboration.html>
   - CIO
   <http://www.cio.com/article/3038752/fixing-the-internets-routing-security-is-urgent-and-requires-collaboration.html>
   - Computerworld
   <http://www.computerworld.com/article/3038715/security/the-internets-routing-security-needs-an-urgent-fix-but-itll-require-collaboration.html>
   - Networkworld
   <http://www.networkworld.com/article/3038251/fixing-the-internets-routing-security-is-urgent-and-requires-collaboration.html>
   - ITNews
   <http://www.itnews.com/article/3038753/fixing-the-internets-routing-security-is-urgent-and-requires-collaboration.html>
   - ARNnet
   <http://www.arnnet.com.au/article/594858/fixing-internet-routing-security-urgent-requires-collaboration/?fp=2&fpid=1>
   - Techworld
   <http://www.techworld.com.au/article/594858/fixing-internet-routing-security-urgent-requires-collaboration/>




-- 


Narelle Clark
narellec at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160229/d67cf2f2/attachment.html>