• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
MANRS

MANRS

Mutually Agreed Norms for Routing Security

  • Home
  • About
    • History
    • Partners
    • Testimonials
    • Governance
      • Steering Committee
      • Advisory Group
        • Description and Role
        • Members
      • Community Charter
    • Contact Us
  • Programs
    • Network Operators
      • Network Operators Program and Actions
      • Implementation Guide
      • Participants
      • Join
    • IXPs
      • IXP Program and Actions
      • Participants
      • Join
    • CDN and Cloud Providers
      • CDN and Cloud Providers Program and Actions
      • Participants
      • Join
    • Equipment Vendors
      • Equipment Vendor Program and Actions
      • Participants
      • Join
  • MANRS Ambassadors
  • Resources
    • Training
      • Workshops
      • Tutorials
    • Promote MANRS
    • How-to Videos
    • Events
  • Observatory
  • Blog
  • Join

What are Routing Incidents? (Part 4)

July 16, 2020 by Kevin Meynell Leave a Comment

So far this week, we’ve talked about what routing is, how it works, and some of its general challenges. Now, let’s get specific about some of the biggest issues facing the Internet’s routing system.

What is BGP Hijacking?

A BGP hijack, or route hijack, is when an attacker disguises itself as another network; it announces network prefixes belonging to another network as if those prefixes are theirs. If this false information is accepted by neighboring networks and propagated further using BGP, it distorts the “roadmap” of the Internet. As a result, traffic is forwarded to the attacker instead of its legitimate destination.

This is sometimes due to simple carelessness, but it’s often done to intercept traffic (censorship, for example) and to cause denial-of-service attacks (e.g. shut down a website). By masquerading as another network, it’s possible to route traffic to the attacker’s network while the victim suffers an outage.

Returning to our routing-is-like-online-dating analogy, let’s say Juan is talking to Maria and things are going great. Then, seemingly out of nowhere, Juan can’t talk to Maria. Every time he tries to send her a message, it disappears. It turns out, Chad also likes Maria and has stolen and read all of Juan’s messages to Maria. Maria *might* get the messages eventually, but Chad got to read and/or alter them first.

What is a BGP Leak?

Similar to a hijack is a BGP leak, or route leak. Many organizations connect to more than one network, or upstream provider, to increase reliability or performance, a practice called multihoming. A route leak happens when an organization accidentally announces to one upstream provider that it has a route to a destination through the other upstream provider, regardless of whether this is a desirable path.

This makes the organization’s network an unwitting middleman between the two upstream providers, with traffic being sent through its generally much smaller network. The end result is non-optimal routing, congestion, and potential non-delivery of traffic. While leaks are often inadvertent router misconfigurations that are noticed and fixed quickly, they can be done intentionally to divert traffic through another network to scan it or perform man-in-the-middle attacks (where an attacker secretly relays and alters the communication between a sender and receiver). 

Back to Juan and Maria — Juan thinks he and Maria are in an exclusive relationship, but then Maria stops responding. Juan accidentally entered her number wrong and all of his messages were going to Chad instead. Oops.

What is IP address spoofing?

Back in Part 1 of this series, we learned that traffic is sent across the Internet in packets that contain a destination IP address (like a mailing address). Packets also contain a source IP address, which identifies the sender and enables replies from the recipient. 

But it’s very easy to create and send an IP packet with a false, or spoofed, IP address to hide the sender’s identity or to impersonate another computing system. It can be difficult for routers to check both destination and source IP addresses, so they often don’t bother and forward them regardless.

This is the main cause of reflection Distributed Denial-of-Service (DDoS) attacks, where multiple DNS queries with spoofed source addresses might be sent from one network, targeting a host on another network to receive so many replies the network shuts down.

Back to our favorite doomed couple … Maria’s been talking to “Juan” online. He tells her everything she wants to hear and seems like the perfect man. And then he scams her. Turns out it was Chad all along, pretending to be Juan.  

Most routing incidents fall into one of those three types. And that’s where Mutually Agreed Norms for Routing Security (MANRS) steps in. By setting a routing security baseline for all organizations operating networks on the Internet, we can work together to reduce the most common pitfalls. Tomorrow, in our final post of this series, we will talk about the MANRS Actions and what organizations can do to make the Internet safer for us all.

Category iconRouting Security,  Routing Security Incidents Tag iconBasics,  routing

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Recent Posts

  • You’ve Got Mail—MANRS Conformance Reports and Incident Reporting
  • Majority of Announced IPv6 Address Space Now Secured by ROAs
  • RFC 7911 – What happens when routers do not speak the same language
  • The US FCC Asked About Routing Security. Here’s what MANRS Participants Had to Say.
  • Announcing 2022 MANRS Fellows
MANRS logo
Join MANRS
  • Sharing Our Content
  • Terms of Use
  • Privacy Policy
  • Contact
Follow us: Follow MANRS on Twitter Follow MANRS on Facebook Follow MANRS on LinkedIn Follow MANRS on YouTube

MANRS Document © 2016–2022