Fixing the Internet's routing security is urgent and requires collaboration
A volunteer participation program for ISPs to prevent route hijacks and IP spoofing is gaining some traction
The Internet is fragile. Many of its protocols were designed at a time when the goal was rapid network expansion based on trust among operators. Today, the Internet's open nature is what makes it so great for business, education and communication, but the absence of security mechanisms at its core is something that criminals are eager to exploit.
In late January, traffic to many IP (Internet Protocol) addresses of the U.S. Marine Corps was temporarily diverted through an ISP in Venezuela. According to Doug Madory, director of Internet analysis at Dyn, such routing leaks occur almost on a daily basis and while many of them are accidents, some are clearly attempts to hijack Internet traffic.
Another frequent occurrence is the hijacking of dormant or unused IP address spaces. Known as IP address squatting, this technique is preferred by email spammers who need blocks of IP addresses that haven't already been blacklisted by spam filters.
To pull off such attacks, spammers need to find ISPs that will accept their fraudulent routing advertisements without too much scrutiny. In early February, the anti-spam outfit Spamhaus reported that Verizon Communications was routing over 4 million IP addresses hijacked by criminals, putting it in the top 10 list of ISPs worldwide who route spam traffic.
The abuses don't stop there. The User Datagram Protocol (UDP), which is widely used in Internet communications, is particularly vulnerable to source address spoofing. This allows attackers to send data packets that appear to originate from other people's IP addresses.
The weakness has been increasingly exploited in recent years to launch crippling and hard-to-trace distributed denial-of-service (DDoS) attacks. DDoS reflection, as the technique is known, involves attackers sending requests with spoofed addresses to misconfigured servers on the Internet. This forces those servers to send their responses to the spoofed addresses instead of the true IP addresses from where the requests originated.
This hides the source of malicious traffic, but can also have an amplification effect if the generated responses are larger than the requests that triggered them. By using reflection against servers that run UDP-based services like DNS (Domain Name System), mDNS (multicast DNS), NTP (Network Time Protocol), SSDP (Simple Service Discovery Protocol), SNMP (Simple Network Management Protocol) and others, attackers can generate tens or hundreds of times more traffic than they could otherwise.
All of these problems require a high level of cooperation among network operators to fix because, unlike other industries, the Internet has no central governing body that could force ISPs to implement routing security measures.
The Internet Society (ISOC), an international non-profit organization that advances Internet-related standards, education and policy, strongly believes that tackling security issues is a shared responsibility that requires a collaborative approach. As such, in late 2014, the organization, together with nine network operators, launched an initiative called MANRS, or Mutually Agreed Norms for Routing Security.
Network operators who choose to participate in the MANRS program commit to implementing various security controls in order to prevent the propagation of incorrect routing information through their networks, prevent traffic with spoofed source IP addresses and facilitate the validation of routing information globally.
Over the past year, the program has grown steadily, the number of participants now reaching 40. ISOC hopes that MANRS membership will become a badge of honor or a quality mark that networks operators will strive to obtain in order to differentiate themselves from the competition.
Whether the volunteer-based approach is enough for the program to continue growing remains to be seen. But if it gains enough traction and becomes large enough, ISPs who are not interested in joining now might be pushed by market forces in the future. For example if three Internet providers compete for a project, and only one of them is MANRS-compliant, the customer might choose the MANRS member because it ostensibly cares more about security.
There are network operators in countries like China or Russia that do a fair amount of business by offering services to cybercriminals. Such companies would probably not want to implement these security measures, but if MANRS grows large enough, they might find themselves isolated and unable to find uplink providers to carry their traffic internationally.
Implementing the MANRS recommendations, which are based on existing industry best practices, can have some short-term costs for ISPs, but according to ISOC, that's probably not the reason why many of them have failed to implement them. The bigger problem, the organization believes, is a lack of awareness about these problems or not having the expertise to fix them.
The methods through which routing leaks and IP address spoofing can be dealt with are diverse and currently documented in different places across the Internet. That's why ISOC and the MANRS members are working on a Best Current Operational Practices (BCOP) document that will bring those recommendations together and provide clear guidance for their implementation.
The goal is to assist the small, regional ISPs with adopting these measures, because they make up around 80 percent of the Internet, said Andrei Robachevsky, ISOC’s technology program manager.
If these ISPs were to start validating the routing announcements of their own customers, there would be a much smaller chance that rogue announcements would reach the global routing system.
Another thing that the MANRS members will be working on in 2016 is a set of compliance tests to ensure that new potential members have indeed achieved the program's goals and that they remain compliant over time. One example of such a test is with a tool called Spoofer that checks if a network allows IP spoofing or not. MANRS participants could run this tool inside their networks periodically and report the results back.
Creating more incentives for ISPs to join the program is also an important issue that ISOC and the existing MANRS members are discussing. For example, some participants are considering including MANRS requirements in their peering arrangements or offering higher bandwidth peering only to MANRS-compliant network operators, Robachevsky said.
At this stage, however, the program is growing primarily by identifying and co-opting ISPs who are industry leaders from a security perspective. These are ISPs that have already implemented all of these protections on their own, independently of MANRS, he said.
It's unlikely that the MANRS recommendations will ever be adopted by all of the world's network operators and unfortunately some attacks, like DDoS reflection, will not completely disappear without widespread implementation of anti-IP spoofing measures. However, even if MANRS succeeds in creating only small, but safe neighborhoods on the Internet, it would reduce the problem.
Imagine a cybercriminal group that has access to 1,000 infected computers from around the world that are organized in a botnet. If they get a list of 1,000 misconfigured DNS or NTP servers, they could abuse those servers to amplify the traffic they could otherwise generate from those 1,000 computers by using the DDoS reflection technique.
However, if 20 percent of those infected computers were located within networks that prevent IP spoofing, the attackers wouldn't be able to use them for DDoS reflection at all, because their spoofed requests would be blocked by their ISPs and would never reach the vulnerable DNS or NTP servers.
Fortunately, the MANRS proposals will be beneficial in incremental deployments, said Danny Cooper, a security researcher at Akamai. "Even if not everyone on the Internet is participating and there's only a partial uptake, it still reduces the places on the Internet that certain attacks can be launched from."
The defense techniques proposed by MANRS are by no means perfect, and there are some techniques to partially evade them, but overall they force attackers to reduce the scope of their attacks, Cooper said.
MANRS represents a collection of pretty smart network operators that got together and came up with some best practices to improve the state of Internet routing, said Dyn's Madory. "Regardless of whether it gains adoption by all ISPs, it's certainly the right thing do. We should try to capture all the lessons learned from the various network engineers around the world and advocate for their implementation."
After all, perfect or not, there aren't many alternatives to this kind of industry self-regulation. Attacks will only get worse with the passing of time and if nothing is done, there is a danger that national governments could intervene with legislation that will endanger the openness of the Internet. The fragmentation of the Internet is already happening to some extent due to political, economic, religious and other reasons.
The good news is that the number of network operators who are implementing anti-spoofing and route hijacking protections is growing. According to the Worldwide Infrastructure Security Report released by DDoS mitigation provider Arbor Networks in January, an estimated 44 percent of ISPs have implemented anti-spoofing filters. This is up from 37 percent in 2014. In addition, 54 percent now also monitor for route hijacks, compared to 40 percent in 2014. The report is based on a survey of 354 global network operators.
"There's still a lot of room for improvement, obviously, but we are seeing numbers trending in the right direction," said Gary Sockrider, principal security technologist at Arbor Networks.
According to Sockrider, during the past year Arbor Networks has observed a huge growth in both the number and size of DDoS reflection/amplification attacks, across many protocols.
"I applaud the efforts of any organization, including the MANRS initiative, to improve security, make networks more resilient and stop things like IP address spoofing," Sockrider said. "I truly think that's important and I fully support it."