[AusNOG] FYI: MANRS Project - Fixing the Internet's routing security is urgent and requires collaboration

Chris Chaundy chris.chaundy at gmail.com
Mon Feb 29 14:38:03 EST 2016


Given the enthusiasm in implementation of BCP 38 around the world, I am not
optimistic that this will get the deserved attention. :-(

On Mon, Feb 29, 2016 at 2:07 PM, Paul Wilkins <paulwilkins369 at gmail.com>
wrote:

> It's not very likely an optional code for US ISP's will have much impact
> down the Australian end of the internet.
>
> We are however in a very unique situation, where all (ok, most) of our
> transnational traffic travels via a very few submarine cables. There really
> is no reason Australian internet users should be subjected to domestically
> sourced DDOS traffic. Would be very straight forward for the Federal
> Government to mandate that all local ISPs implement source IP verification.
>
> Kind regards
>
> Paul Wilkins
>
>
>
> On 29 February 2016 at 10:40, Narelle <narellec at gmail.com> wrote:
>
>> Fixing the Internet's routing security is urgent and requires
>> collaboration
>>
>> A volunteer participation program for ISPs to prevent route hijacks and IP
>> spoofing is gaining some traction
>>
>> Lucian Constantin http://www.pcworld.com/author/Lucian-Constantin/
>>
>> IDG News Service
>>
>> Feb 26, 2016 10:44 AM
>>
>> The Internet is fragile. Many of its protocols were designed at a time
>> when
>> the goal was rapid network expansion based on trust among operators.
>> Today,
>> the Internet's open nature is what makes it so great for business,
>> education and communication, but the absence of security mechanisms at its
>> core is something that criminals are eager to exploit.
>>
>> In late January, traffic to many IP (Internet Protocol) addresses of the
>> U.S. Marine Corps was temporarily diverted through an ISP in
>> Venezuela. According to Doug Madory, director of Internet analysis at Dyn,
>> such routing leaks occur almost on a daily basis and while many of them
>> are
>> accidents, some are clearly attempts to hijack Internet traffic.
>>
>> Another frequent occurrence is the hijacking of dormant or unused IP
>> address spaces. Known as IP address squatting, this technique is preferred
>> by email spammers who need blocks of IP addresses that haven't already
>> been blacklisted by spam filters.
>>
>> To pull off such attacks, spammers need to find ISPs that will accept
>> their
>> fraudulent routing advertisements without too much scrutiny. In early
>> February, the anti-spam outfit Spamhaus reported that Verizon
>> Communications was routing over 4 million IP addresses hijacked by
>> criminals, putting it in the top 10 list of ISPs worldwide who route spam
>> traffic.
>>
>> The abuses don't stop there. The User Datagram Protocol (UDP), which is
>> widely used in Internet communications, is particularly vulnerable to
>> source address spoofing. This allows attackers to send data packets that
>> appear to originate from other people's IP addresses.
>>
>> The weakness has been increasingly exploited in recent years to launch
>> crippling and hard-to-trace distributed denial-of-service (DDoS) attacks.
>> DDoS reflection, as the technique is known, involves attackers sending
>> requests with spoofed addresses to misconfigured servers on the Internet.
>> This forces those servers to send their responses to the spoofed addresses
>> instead of the true IP addresses from where the requests originated.
>>
>> This hides the source of malicious traffic, but can also have an
>> amplification effect if the generated responses are larger than the
>> requests that triggered them. By using reflection against servers that run
>> UDP-based services like DNS (Domain Name System), mDNS (multicast DNS),
>> NTP
>> (Network Time Protocol), SSDP (Simple Service Discovery Protocol), SNMP
>> (Simple Network Management Protocol) and others, attackers can generate
>> tens or hundreds of times more traffic than they could otherwise.
>>
>> All of these problems require a high level of cooperation among network
>> operators to fix because, unlike other industries, the Internet has no
>> central governing body that could force ISPs to implement routing security
>> measures.
>>
>> The Internet Society (ISOC), an international non-profit organization that
>> advances Internet-related standards, education and policy, strongly
>> believes that tackling security issues is a shared responsibility that
>> requires a collaborative approach
>> http://www.internetsociety.org/collaborativesecurity. As such, in late
>> 2014, the organization, together with nine network operators, launched an
>> initiative called MANRS https://www.routingmanifesto.org/manrs/, or
>> Mutually Agreed Norms for Routing Security.
>>
>> Network operators who choose to participate in the MANRS program commit to
>> implementing various security controls in order to prevent the propagation
>> of incorrect routing information through their networks, prevent traffic
>> with spoofed source IP addresses and facilitate the validation of routing
>> information globally.
>>
>> Over the past year, the program has grown steadily, the number of
>> participants now reaching 40. ISOC hopes that MANRS membership will become
>> a badge of honor or a quality mark that networks operators will strive to
>> obtain in order to differentiate themselves from the competition.
>>
>> Whether the volunteer-based approach is enough for the program to continue
>> growing remains to be seen. But if it gains enough traction and becomes
>> large enough, ISPs who are not interested in joining now might be pushed
>> by
>> market forces in the future. For example if three Internet providers
>> compete for a project, and only one of them is MANRS-compliant, the
>> customer might choose the MANRS member because it ostensibly cares more
>> about security.
>>
>> There are network operators in countries like China or Russia that do a
>> fair amount of business by offering services to cybercriminals. Such
>> companies would probably not want to implement these security measures,
>> but
>> if MANRS grows large enough, they might find themselves isolated and
>> unable
>> to find uplink providers to carry their traffic internationally.
>>
>> Implementing the MANRS recommendations, which are based on existing
>> industry best practices, can have some short-term costs for ISPs, but
>> according to ISOC, that's probably not the reason why many of them have
>> failed to implement them. The bigger problem, the organization believes,
>> is a lack of awareness about these problems or not having the expertise to
>> fix them.
>>
>> The methods through which routing leaks and IP address spoofing can be
>> dealt with are diverse and currently documented in different places across
>> the Internet. That's why ISOC and the MANRS members are working on a Best
>> Current Operational Practices (BCOP) document that will bring those
>> recommendations together and provide clear guidance for their
>> implementation.
>>
>> The goal is to assist the small, regional ISPs with adopting these
>> measures, because they make up around 80 percent of the Internet, said
>> Andrei Robachevsky, ISOC’s technology program manager.
>>
>> If these ISPs were to start validating the routing announcements of their
>> own customers, there would be a much smaller chance that rogue
>> announcements would reach the global routing system.
>>
>> Another thing that the MANRS members will be working on in 2016 is a set
>> of
>> compliance tests to ensure that new potential members have indeed achieved
>> the program's goals and that they remain compliant over time. One example
>> of such a test is with a tool called Spoofer that checks if a network
>> allows IP spoofing or not. MANRS participants could run this tool inside
>> their networks periodically and report the results back.
>>
>> Creating more incentives for ISPs to join the program is also an important
>> issue that ISOC and the existing MANRS members are discussing. For
>> example,
>> some participants are considering including MANRS requirements in their
>> peering arrangements or offering higher bandwidth peering only to
>> MANRS-compliant network operators, Robachevsky said.
>>
>> At this stage, however, the program is growing primarily by identifying
>> and
>> co-opting ISPs who are industry leaders from a security perspective. These
>> are ISPs that have already implemented all of these protections on their
>> own, independently of MANRS, he said.
>>
>> It's unlikely that the MANRS recommendations will ever be adopted by all
>> of
>> the world's network operators and unfortunately some attacks, like DDoS
>> reflection, will not completely disappear without widespread
>> implementation
>> of anti-IP spoofing measures. However, even if MANRS succeeds in creating
>> only small, but safe neighborhoods on the Internet, it would reduce the
>> problem.
>>
>> Imagine a cybercriminal group that has access to 1,000 infected computers
>> from around the world that are organized in a botnet. If they get a list
>> of
>> 1,000 misconfigured DNS or NTP servers, they could abuse those servers to
>> amplify the traffic they could otherwise generate from those 1,000
>> computers by using the DDoS reflection technique.
>>
>> However, if 20 percent of those infected computers were located within
>> networks that prevent IP spoofing, the attackers wouldn't be able to use
>> them for DDoS reflection at all, because their spoofed requests would be
>> blocked by their ISPs and would never reach the vulnerable DNS or NTP
>> servers.
>>
>> Fortunately, the MANRS proposals will be beneficial in incremental
>> deployments, said Danny Cooper, a security researcher at Akamai. "Even if
>> not everyone on the Internet is participating and there's only a partial
>> uptake, it still reduces the places on the Internet that certain attacks
>> can be launched from."
>>
>> The defense techniques proposed by MANRS are by no means perfect, and
>> there
>> are some techniques to partially evade them, but overall they force
>> attackers to reduce the scope of their attacks, Cooper said.
>>
>> MANRS represents a collection of pretty smart network operators that got
>> together and came up with some best practices to improve the state of
>> Internet routing, said Dyn's Madory. "Regardless of whether it gains
>> adoption by all ISPs, it's certainly the right thing do. We should try to
>> capture all the lessons learned from the various network engineers around
>> the world and advocate for their implementation."
>>
>> After all, perfect or not, there aren't many alternatives to this kind of
>> industry self-regulation. Attacks will only get worse with the passing of
>> time and if nothing is done, there is a danger that national governments
>> could intervene with legislation that will endanger the openness of the
>> Internet. The fragmentation of the Internet is already happening to some
>> extent due to political, economic, religious and other reasons.
>>
>> The good news is that the number of network operators who are implementing
>> anti-spoofing and route hijacking protections is growing. According to the
>> Worldwide Infrastructure Security Report released by DDoS mitigation
>> provider Arbor Networks in January, an estimated 44 percent of ISPs have
>> implemented anti-spoofing filters. This is up from 37 percent in 2014. In
>> addition, 54 percent now also monitor for route hijacks, compared to 40
>> percent in 2014. The report is based on a survey of 354 global network
>> operators.
>>
>> "There's still a lot of room for improvement, obviously, but we are seeing
>> numbers trending in the right direction," said Gary Sockrider, principal
>> security technologist at Arbor Networks.
>>
>> According to Sockrider, during the past year Arbor Networks has observed a
>> huge growth in both the number and size of DDoS reflection/amplification
>> attacks, across many protocols.
>>
>> "I applaud the efforts of any organization, including the MANRS
>> initiative,
>> to improve security, make networks more resilient and stop things like IP
>> address spoofing," Sockrider said. "I truly think that's important and I
>> fully support it."
>>
>> ________________________________
>>
>> Olaf M. Kolkman
>> Chief Internet Technology Officer Internet Society
>>
>> e-mail: kolkman at isoc.org
>> LinkedIn:OlafKolkman
>> Twitter: @Kolkman
>>
>> ________________________________
>>
>>
>> From:
>>
>>
>>    - ITWorld
>>    <http://www.itworld.com/article/3038713/fixing-the-internets-routing-security-is-urgent-and-requires-collaboration.html>
>>    - PCWorld
>>    <http://www.pcworld.com/article/3038714/fixing-the-internets-routing-security-is-urgent-and-requires-collaboration.html>
>>    - CIO
>>    <http://www.cio.com/article/3038752/fixing-the-internets-routing-security-is-urgent-and-requires-collaboration.html>
>>    - Computerworld
>>    <http://www.computerworld.com/article/3038715/security/the-internets-routing-security-needs-an-urgent-fix-but-itll-require-collaboration.html>
>>    - Networkworld
>>    <http://www.networkworld.com/article/3038251/fixing-the-internets-routing-security-is-urgent-and-requires-collaboration.html>
>>    - ITNews
>>    <http://www.itnews.com/article/3038753/fixing-the-internets-routing-security-is-urgent-and-requires-collaboration.html>
>>    - ARNnet
>>    <http://www.arnnet.com.au/article/594858/fixing-internet-routing-security-urgent-requires-collaboration/?fp=2&fpid=1>
>>    - Techworld
>>    <http://www.techworld.com.au/article/594858/fixing-internet-routing-security-urgent-requires-collaboration/>
>>
>>
>>
>>
>> --
>>
>>
>> Narelle Clark
>> narellec at gmail.com
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160229/3233bae4/attachment.html>


More information about the AusNOG mailing list