Online tool seeks to improve routing security

Backers hope a new online tool to monitor the state of internet routing security will improve the stability of the net, as well as helping to safeguard against increasing digital threats.

MANRS Observatory, launched today (Tuesday), measures the extent of networks’ compliance to MANRS (Mutually Agreed Norms for Routing Security), an indicator of routing security and resiliency of the internet.

The Observatory shows the extent of networks’ adherence to routing security standards. It also allows users (typically technical staff at ISPs, internet hubs and cloud providers) to track the number of routing incidents by either region or country.

The tool aggregates data from a number of trusted third-party sources into an online dashboard. This snapshot enables network operators to more easily identify problematic areas in order to help them improve the security of their networks.

“Routing security is based almost entirely on trust between networks,” said Andrei Robachevsky, senior technology program manager at the Internet Society, who helped produce the tool alongside the MANRS community.

“One of the advantages of the MANRS Observatory is that it adds an element of accountability,” Robachevsky told The Daily Swig.

Last year, there were 12,600 routing outages or attacks – such as hijacking, leaks, and spoofing – resulted in stolen data, lost revenues, and reputational damage, according to Robachevsky. This compares to 14,400 such problem in 2017.

Many of these issues relate to Border Gateway Protocol (BGP), the technology used for exchanging preferred routing path information between carriers and ISPs.

For example, last November a routing leak by a Nigerian ISP caused some of Google’s traffic to be misrouted through China, leading in outages in many parts of the world. In April 2018, Amazon’s Route 53 DNS service was hijacked to steal Ethereum cryptocurrency from myetherwallet.com.

BGP insecurity has been a problem for years but improving it is both a technically and economically challenging, with no compelling business case for individual ISPs to upgrade their standards.

Problems can arise through either route leaks or equipment misconfiguration, as well as outages. It’s suspected that nation-states have abused BGP inherent insecurity to re-route and harvest internet traffic. The extent of such suspected abuse is unclear.

Improving ISP accountability

The MANRS Observatory is designed to improve accountability and transparency, as well as raising awareness about routing insecurity.

“It’s difficult to separate malice from mistakes,” Robachevsky said. “You can disguise some malign things as configuration mistakes.”

Robachevsky explained that any ISP that improves its routing security or block incorrect routing announcement made by a customer helps the internet community as a whole without directly increasing its revenues or decreasing costs.

“MANRS is seeing steady adoption, but we need more networks to implement the actions and more customers to demand routing security best practices,” he said.

“The more network operators applying MANRS actions, the fewer incidents happening, the less damage done. Our hope is that the MANRS Observatory will help drive greater participation,” he added.

MANRS maketh MAN

MANRS, a worldwide networking community-based initiative, supported by the Internet Society, aims to reduce the most common threats to the internet’s routing system through technical and collaborative action.

Since starting in 2014, MANRS has grown its participants to include network operators from small regional ISPs to Tier-1 carrier networks, with 201 ISPs and 34 Internet Exchange Points already signed up. Tier-1 cloud and managed service providers have recently been invited to join with Microsoft and Google among the new recruits.

“For small ISPs MANRS does not require much - most of the actions require a review of the configuration and ensuring that controls are in place,” Robachevsky explained.

“For networks with more dynamic changes (e.g. the changing customer base) automation should be in place.

“In many cases MANRS means adding additional controls to the already existing provisioning system/process. The most difficult case is networks that are acquiring other networks - that might require a revamp of network management practices.

“But even in this case, implementing MANRS is still a fraction of the costs of properly automated general network management systems.”

Participants in the initiative can see how they and their peers are performing through the use of the MANRS Observatory tool.

In addition, it’s hoped that policymakers might be able to take advantage of MANRS best practices as a compliance goal for routing security and resilience.


RELATED BGP experiment knocks Linux routers offline