According to the Internet Society, during 2018, approximately 12,600 deliberate routing attacks or accidental routing outages occurred. Whether malicious or inadvertent, many incidents involved the Border Gateway Protocol. BGP hijacking has resulted in the theft of cryptocurrencies and data, and BGP leaks have led to widespread outages. For example, Google suffered severe outages in several regions as the result of a routing leak at an ISP in Nigeria that rerouted a portion of Google's traffic through China. Another incident in 2019 took down some of the internet's biggest sites, including Facebook, eBay, and Amazon. When Pakistan tried to block access to YouTube within their country in 2008, they took down YouTube in many other countries. There is also some evidence that BGP vulnerabilities are frequently exploited by hostile governments, espionage and intelligence agencies, and extremist groups.
The issues with the insecure nature of BGP have been known for many years. After all, the protocol relies on autonomous systems trusting other autonomous systems. The system receiving an advertisement or IP prefix from another system has no way of verifying the integrity or origin of the advertisement, so BGP is truly a case of blind trust, and blind trust is seldom a great approach to cybersecurity. Blind trust can lead employees to accept a phishing email as legitimate or harmless almost as easily as it can lead one system to accept another system's advertisement as legitimate, appropriate, and preferred.
How Minding Your MANRS Can Help
The Mutually Agreed Norms for Routing Security, or MANRS, is a global initiative spearheaded by the Internet Society. There are four basic MANRS every ISP should follow.
- Filtering: Many leaks can be mitigated or prevented by ensuring that the filters for the announcements of the ISP and its customers are kept current.
- Anti-spoofing: Spoofed source addresses can propagate rapidly. Packets containing an incorrect IP address should be prevented from entering the network as well as leaving it.
- Coordination: Up-to-date, globally accessible contact information is essential to help solve emergencies quickly.
- Global validation: Every ISP should publish its routing policy data in IRR or RPKI repositories. These repositories are critical to help block BGP prefix hijacking.
What Is the MANRS Observatory?
The MANRS Observatory is a new tool that provides ISPs with insights into how well they and other ISPs are adhering to MANRS. The tool collects data from several trustworthy third-party sources. A snapshot of the aggregated data allows ISPs to identify potentially problematic areas that need to be improved to enhance security. The purpose of the tool is to raise awareness about the current state of routing insecurity, provide better transparency, and improve ISP accountability. In addition, government policymakers could use MANRS to define the best practices or draft compliance regulations for routing resilience and control.
Why Should an ISP Embrace MANRS?
Since the security issues inherent in BGP have been known for so long, one might think that ISPs would have been very proactive about solutions. However, many ISPs do not prioritize routing security until they are impacted directly; the primary beneficiaries are the network's users, not the operator of the network. Therefore, many ISPs have been reluctant to invest time or money in something that will not provide a direct financial benefit.
However, this type of thinking ignores the need for long-term solutions. As more incidents occur, more damage will be done. With the increased transparency provided by the MANRS Observatory, poorly secured ISPs could see their customers migrating to an ISP with better security.
Fortunately, many ISPs can mind their MANRS without incurring a significant expense. For example, a small ISP may not need to do much more than review configurations and ensure that the proper controls are present. Other ISPs may need to embrace automation to a greater extent or add supplementary controls.
Although complying with MANRS is still voluntary, there could come a time when it is mandatory. Whether voluntary or mandatory, however, MANRS compliance makes sense for ISPs of all sizes. It helps make the internet a better, safer, more useful environment for everyone, which is the mission of every member of the Abusix team. We offer a number of valuable solutions for ISPs seeking to mitigate abuse and other threats.