Improving Technical Security 8 January 2013

Observations from the Routing Resiliency Measurements Workshop

By Andrei RobachevskyFormer Senior Director, Technology Programmes
Internet SocietyGuest Author

On many occasions when I talk to network operators about routing security a question of risk comes up.

Quite a few well-known and analyzed incidents, like the YouTube prefix hijack or the China Telecom traffic detour, clearly demonstrate vulnerabilities in the routing system that can be exploited and that present a real threat. But while everyone agrees there are vulnerabilities, the real questions are (1) What are the frequency and probability of security incidents, and (2) What are their operational and economic ramifications?

Not answering these questions means ignoring or accepting the risks by default – and that is the dominant trend among ISPs. Having no answers is also an indication of low operator awareness and, subsequently, lack of motivation to do something about it.

A better grasp of what’s happening in Internet routing would inform operators’ decisions regarding proactive and reactive measures they can deploy to mitigate risk.

To address this issue, the Internet Society organized a routing resiliency measurements workshop on 2-3 November 2012, inviting researchers and operators to share their experience and data and try to find answers to several important questions:

  1. What level of attack has there been in the past – to what extent do security incidents happen, but go unnoticed, or get dealt with inside a single network, possibly introducing collateral damage?
  2. Are the number and impact of service disruptions and malicious activity stable, increasing, or decreasing?
  3. Can we understand why, and track it collectively?

The workshop was divided into three main sections:

  • Measurement methodology and frameworks: We looked at different methodologies, their limitations, and available data sets used for the analysis of suspicious events related to inter-domain routing in the Internet.
  • Research analysis and operational data: Participants presented and discussed analysis of data related to routing resilience coming from both researchers and operational experience.
  • Metrics and long-term monitoring: This discussion focused on which metrics could be a useful representation of routing resiliency in the Internet, both to inform operators’ actions and facilitate a long-term monitoring and trend analysis.

We just published a report on the workshop that documents main points of discussions, main conclusions, and forward-looking suggestions.

One of the conclusions was that not knowing the operator’s real routing policy makes it difficult to separate legitimate changes from attacks. Several approaches presented at the workshop allow the number of false positives to be minimized, but do not provide an answer to how much goes under the radar.

We also observed that many operators do not specifically track routing security incidents, making it difficult to collect sensible operational statistics. This is a missing piece that could facilitate risk assessment and measure the effectiveness of mitigation techniques.

Lack of well-defined and actionable metrics and common vocabulary are two of the main limitations for consistent long-term monitoring and trend analysis. It is difficult to say how the system evolves, or whether it is getting better or worse.

Did the workshop have answers to all of these difficult issues? Well, no, but it provided a good starting point for moving forward based on a common understanding of the challenge.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Building Trust 21 February 2020

NDSS 2020: The Best in Security Research – For the Good of the Internet

On 23 February, the 27th consecutive Network and Distributed System Security Symposium (NDSS) kicks off in San Diego, CA....

Improving Technical Security 23 October 2019

Securing the Internet: Introducing Oracle Internet Intelligence IXP Filter Check

Oracle is an Organization Member of the Internet Society. We welcome this guest post announcing a new tool that...

Improving Technical Security 4 October 2019

Network Operators in Latin America and the Caribbean Take Steps to Strengthen Routing Security

2019 has been a very good year for the Internet in Latin America and the Caribbean. In May, during...