Abusing the vulnerabilities of the routing system for various types of malicious activities – like sending spam or spreading malware – is a growing trend. This is the major point I took away from a detailed review Doug Madory from Dyn Research published last week highlighting six examples of bogus routing announcements that represent IP address and ASN squatting or hijacking and path manipulation. As Doug's analysis suggests, these are not fat fingers, but planned attacks.
Unlike DoS incidents with high public exposure, like YouTube route hijacking, these incidents have less impact on network operations and may go unnoticed for months. The criminals are trying to avoid exposure and often squatting on unused address space, or limiting the propagation of bogus announcements. So on the surface it looks like nothing bad happens in the network, apart from increased volumes of spam, malware and even more difficulty in making attribution and tracking down the criminals.
So do network operators really need to be concerned?
The answer is yes.
There is more to it.
This trend corrodes the global routing system, and as it develops collateral damage will only grow. Let me mention just two aspects of it:
- Reputation. Network and address blocks have a higher chance of getting into various black lists, which will affect services of network’s customers and users. This might also affect a network’s ability to make peering arrangements.
- Denial of service. The attackers are less careful sometimes, especially for short and medium-term attacks. They may not bother to check whether the address space they are abusing is used by a network or its customers. And this may result in intermittent service outages that are difficult to debug.
Then why do so many network operators appear unconcerned?
I think, partly, this is an awareness issue and analyses from Dyn Research, BGPmon, and RIPE Labs help articulate the problem better and educate folks. But there are a couple of more fundamental issues at hand:
- Network protection is in fact in the hands of other networks. To protect the network from hijacking, other networks have to act and take measures.
- Deploying protective measures often has costs and less obvious benefits for one’s own network. Another way of looking at this, though, is what Paul Vixie calls a "chemical polluter business model" where the profit occurs “here” whereas the costs are shifted onto the larger economy, “down there.”
Yet, we have to break this vicious circle when folks push "toxic waste" into the commons, only to discover that the commons is too polluted to be useful.
And by the way, there is a third aspect of collateral damage - it enforces the perception of some regulators and policy makers that the industry cannot solve this problem on its own and that regulatory action has to be taken.
MANRS – the “Mutually Agreed Norms for Routing Security” document and effort we launched a few months ago – can help here. It contains recommendations that are optimized for low costs and low risk. And it demonstrates a growing group of network operators that are concerned and are willing to take action.
If MANRS recommendations are already implemented in your network - please sign up to give support to this effort and encourage others.
If your network is not already implementing these measures, now is the time to start. By implementing them you will be moving not only your network but the Internet as a whole to a model where one of the Internet¹s core components – its global routing infrastructure - is more secure, resilient, and less prone to abuse. The impacts will be felt on your network as well as others.
Caring collaboratively for our shared resource is the only safe way forward.