[AusNOG] FYI: MANRS Project - Fixing the Internet's routing security is urgent and requires collaboration

[Paul Wilkins]

It's not very likely an optional code for US ISP's will have much impact
down the Australian end of the internet.

We are however in a very unique situation, where all (ok, most) of our
transnational traffic travels via a very few submarine cables. There really
is no reason Australian internet users should be subjected to domestically
sourced DDOS traffic. Would be very straight forward for the Federal
Government to mandate that all local ISPs implement source IP verification.

Kind regards

Paul Wilkins



On 29 February 2016 at 10:40, Narelle <narellec at gmail.com> wrote:

> Fixing the Internet's routing security is urgent and requires collaboration
>
> A volunteer participation program for ISPs to prevent route hijacks and IP
> spoofing is gaining some traction
>
> Lucian Constantin http://www.pcworld.com/author/Lucian-Constantin/
>
> IDG News Service
>
> Feb 26, 2016 10:44 AM
>
> The Internet is fragile. Many of its protocols were designed at a time when
> the goal was rapid network expansion based on trust among operators. Today,
> the Internet's open nature is what makes it so great for business,
> education and communication, but the absence of security mechanisms at its
> core is something that criminals are eager to exploit.
>
> In late January, traffic to many IP (Internet Protocol) addresses of the
> U.S. Marine Corps was temporarily diverted through an ISP in
> Venezuela. According to Doug Madory, director of Internet analysis at Dyn,
> such routing leaks occur almost on a daily basis and while many of them are
> accidents, some are clearly attempts to hijack Internet traffic.
>
> Another frequent occurrence is the hijacking of dormant or unused IP
> address spaces. Known as IP address squatting, this technique is preferred
> by email spammers who need blocks of IP addresses that haven't already
> been blacklisted by spam filters.
>
> To pull off such attacks, spammers need to find ISPs that will accept their
> fraudulent routing advertisements without too much scrutiny. In early
> February, the anti-spam outfit Spamhaus reported that Verizon
> Communications was routing over 4 million IP addresses hijacked by
> criminals, putting it in the top 10 list of ISPs worldwide who route spam
> traffic.
>
> The abuses don't stop there. The User Datagram Protocol (UDP), which is
> widely used in Internet communications, is particularly vulnerable to
> source address spoofing. This allows attackers to send data packets that
> appear to originate from other people's IP addresses.
>
> The weakness has been increasingly exploited in recent years to launch
> crippling and hard-to-trace distributed denial-of-service (DDoS) attacks.
> DDoS reflection, as the technique is known, involves attackers sending
> requests with spoofed addresses to misconfigured servers on the Internet.
> This forces those servers to send their responses to the spoofed addresses
> instead of the true IP addresses from where the requests originated.
>
> This hides the source of malicious traffic, but can also have an
> amplification effect if the generated responses are larger than the
> requests that triggered them. By using reflection against servers that run
> UDP-based services like DNS (Domain Name System), mDNS (multicast DNS), NTP
> (Network Time Protocol), SSDP (Simple Service Discovery Protocol), SNMP
> (Simple Network Management Protocol) and others, attackers can generate
> tens or hundreds of times more traffic than they could otherwise.
>
> All of these problems require a high level of cooperation among network
> operators to fix because, unlike other industries, the Internet has no
> central governing body that could force ISPs to implement routing security
> measures.
>
> The Internet Society (ISOC), an international non-profit organization that
> advances Internet-related standards, education and policy, strongly
> believes that tackling security issues is a shared responsibility that
> requires a collaborative approach
> http://www.internetsociety.org/collaborativesecurity. As such, in late
> 2014, the organization, together with nine network operators, launched an
> initiative called MANRS https://www.routingmanifesto.org/manrs/, or
> Mutually Agreed Norms for Routing Security.
>
> Network operators who choose to participate in the MANRS program commit to
> implementing various security controls in order to prevent the propagation
> of incorrect routing information through their networks, prevent traffic
> with spoofed source IP addresses and facilitate the validation of routing
> information globally.
>
> Over the past year, the program has grown steadily, the number of
> participants now reaching 40. ISOC hopes that MANRS membership will become
> a badge of honor or a quality mark that networks operators will strive to
> obtain in order to differentiate themselves from the competition.
>
> Whether the volunteer-based approach is enough for the program to continue
> growing remains to be seen. But if it gains enough traction and becomes
> large enough, ISPs who are not interested in joining now might be pushed by
> market forces in the future. For example if three Internet providers
> compete for a project, and only one of them is MANRS-compliant, the
> customer might choose the MANRS member because it ostensibly cares more
> about security.
>
> There are network operators in countries like China or Russia that do a
> fair amount of business by offering services to cybercriminals. Such
> companies would probably not want to implement these security measures, but
> if MANRS grows large enough, they might find themselves isolated and unable
> to find uplink providers to carry their traffic internationally.
>
> Implementing the MANRS recommendations, which are based on existing
> industry best practices, can have some short-term costs for ISPs, but
> according to ISOC, that's probably not the reason why many of them have
> failed to implement them. The bigger problem, the organization believes,
> is a lack of awareness about these problems or not having the expertise to
> fix them.
>
> The methods through which routing leaks and IP address spoofing can be
> dealt with are diverse and currently documented in different places across
> the Internet. That's why ISOC and the MANRS members are working on a Best
> Current Operational Practices (BCOP) document that will bring those
> recommendations together and provide clear guidance for their
> implementation.
>
> The goal is to assist the small, regional ISPs with adopting these
> measures, because they make up around 80 percent of the Internet, said
> Andrei Robachevsky, ISOC’s technology program manager.
>
> If these ISPs were to start validating the routing announcements of their
> own customers, there would be a much smaller chance that rogue
> announcements would reach the global routing system.
>
> Another thing that the MANRS members will be working on in 2016 is a set of
> compliance tests to ensure that new potential members have indeed achieved
> the program's goals and that they remain compliant over time. One example
> of such a test is with a tool called Spoofer that checks if a network
> allows IP spoofing or not. MANRS participants could run this tool inside
> their networks periodically and report the results back.
>
> Creating more incentives for ISPs to join the program is also an important
> issue that ISOC and the existing MANRS members are discussing. For example,
> some participants are considering including MANRS requirements in their
> peering arrangements or offering higher bandwidth peering only to
> MANRS-compliant network operators, Robachevsky said.
>
> At this stage, however, the program is growing primarily by identifying and
> co-opting ISPs who are industry leaders from a security perspective. These
> are ISPs that have already implemented all of these protections on their
> own, independently of MANRS, he said.
>
> It's unlikely that the MANRS recommendations will ever be adopted by all of
> the world's network operators and unfortunately some attacks, like DDoS
> reflection, will not completely disappear without widespread implementation
> of anti-IP spoofing measures. However, even if MANRS succeeds in creating
> only small, but safe neighborhoods on the Internet, it would reduce the
> problem.
>
> Imagine a cybercriminal group that has access to 1,000 infected computers
> from around the world that are organized in a botnet. If they get a list of
> 1,000 misconfigured DNS or NTP servers, they could abuse those servers to
> amplify the traffic they could otherwise generate from those 1,000
> computers by using the DDoS reflection technique.
>
> However, if 20 percent of those infected computers were located within
> networks that prevent IP spoofing, the attackers wouldn't be able to use
> them for DDoS reflection at all, because their spoofed requests would be
> blocked by their ISPs and would never reach the vulnerable DNS or NTP
> servers.
>
> Fortunately, the MANRS proposals will be beneficial in incremental
> deployments, said Danny Cooper, a security researcher at Akamai. "Even if
> not everyone on the Internet is participating and there's only a partial
> uptake, it still reduces the places on the Internet that certain attacks
> can be launched from."
>
> The defense techniques proposed by MANRS are by no means perfect, and there
> are some techniques to partially evade them, but overall they force
> attackers to reduce the scope of their attacks, Cooper said.
>
> MANRS represents a collection of pretty smart network operators that got
> together and came up with some best practices to improve the state of
> Internet routing, said Dyn's Madory. "Regardless of whether it gains
> adoption by all ISPs, it's certainly the right thing do. We should try to
> capture all the lessons learned from the various network engineers around
> the world and advocate for their implementation."
>
> After all, perfect or not, there aren't many alternatives to this kind of
> industry self-regulation. Attacks will only get worse with the passing of
> time and if nothing is done, there is a danger that national governments
> could intervene with legislation that will endanger the openness of the
> Internet. The fragmentation of the Internet is already happening to some
> extent due to political, economic, religious and other reasons.
>
> The good news is that the number of network operators who are implementing
> anti-spoofing and route hijacking protections is growing. According to the
> Worldwide Infrastructure Security Report released by DDoS mitigation
> provider Arbor Networks in January, an estimated 44 percent of ISPs have
> implemented anti-spoofing filters. This is up from 37 percent in 2014. In
> addition, 54 percent now also monitor for route hijacks, compared to 40
> percent in 2014. The report is based on a survey of 354 global network
> operators.
>
> "There's still a lot of room for improvement, obviously, but we are seeing
> numbers trending in the right direction," said Gary Sockrider, principal
> security technologist at Arbor Networks.
>
> According to Sockrider, during the past year Arbor Networks has observed a
> huge growth in both the number and size of DDoS reflection/amplification
> attacks, across many protocols.
>
> "I applaud the efforts of any organization, including the MANRS initiative,
> to improve security, make networks more resilient and stop things like IP
> address spoofing," Sockrider said. "I truly think that's important and I
> fully support it."
>
> ________________________________
>
> Olaf M. Kolkman
> Chief Internet Technology Officer Internet Society
>
> e-mail: kolkman at isoc.org
> LinkedIn:OlafKolkman
> Twitter: @Kolkman
>
> ________________________________
>
>
> From:
>
>
>    - ITWorld
>    <http://www.itworld.com/article/3038713/fixing-the-internets-routing-security-is-urgent-and-requires-collaboration.html>
>    - PCWorld
>    <http://www.pcworld.com/article/3038714/fixing-the-internets-routing-security-is-urgent-and-requires-collaboration.html>
>    - CIO
>    <http://www.cio.com/article/3038752/fixing-the-internets-routing-security-is-urgent-and-requires-collaboration.html>
>    - Computerworld
>    <http://www.computerworld.com/article/3038715/security/the-internets-routing-security-needs-an-urgent-fix-but-itll-require-collaboration.html>
>    - Networkworld
>    <http://www.networkworld.com/article/3038251/fixing-the-internets-routing-security-is-urgent-and-requires-collaboration.html>
>    - ITNews
>    <http://www.itnews.com/article/3038753/fixing-the-internets-routing-security-is-urgent-and-requires-collaboration.html>
>    - ARNnet
>    <http://www.arnnet.com.au/article/594858/fixing-internet-routing-security-urgent-requires-collaboration/?fp=2&fpid=1>
>    - Techworld
>    <http://www.techworld.com.au/article/594858/fixing-internet-routing-security-urgent-requires-collaboration/>
>
>
>
>
> --
>
>
> Narelle Clark
> narellec at gmail.com
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160229/8945759a/attachment.html>