Tech Companies Endorse MANRS Routing Security Actions

By Grant Gross

A coalition of more than 40 companies focused on protecting online users has endorsed a global community initiative, coordinated by the Internet Society, to improve the security of the Internet’s routing system.

The Cybersecurity Tech Accord, whose members include Facebook, Microsoft, Oracle, and Hewlett Packard Enterprise, will support the Mutually Agreed Norms for Routing Security (MANRS) initiative.

The goal of MANRS is to ensure a secure and resilient Internet by protecting its routing infrastructure. In 2017 alone, more than 14,000 routing outages or attacks — such as hijacking, leaks, or spoofing – resulted in stolen data, lost revenue and reputational damage.

“The new endorsement is a good first step,” said Salam Yamout, Internet Society Lead for the MANRS initiative.

“It is not enough to talk about routing security; it is time for action,” Yamout added. “Because the Internet’s routing system was built on the principles of collaboration and shared responsibility, this endorsement from the Cybersecurity Tech Accord and our new partnership is a major step forward. It clearly reflects the will of industry to be proactive in implementing safe routing practices.”

MANRS focuses on four defensive actions that can reduce the most common routing threats:

  • Filtering, to help combat the propagation of incorrect routing information and to ensure the correct operator and customer routing announcements to adjacent networks;
  • Anti-spoofing, a measure allowing network operators to validate source addresses, with the goal of preventing packets with an incorrect source IP address from entering and leaving the network;
  • Coordination, to ensure that network operators maintain globally accessible up-to-date contact information in common routing databases; and
  • Global validation, to encourage network operators to publish their routing data, so others can validate routing information on a global scale.

The Cybersecurity Tech Accord called MANRS a “fantastic example” of a partnership working toward the common good of a more secure online environment. Signatories “strongly believe that a more robust and secure global routing infrastructure demands shared responsibility and coordinated actions from the community of security-minded organizations,” said Tech Accord.

Two of Tech Accord’s signatories – KPN and Swisscom – already participate in the MANRS initiative, and many others are considering steps to become more involved, the group said.

Cybersecurity Tech Accord and MANRS have also established a working group to investigate how companies beyond network operators and IXPs can contribute to routing security.

Note: you are welcome to join MANRS if your organization is a network operator (for example, an enterprise network or an Internet Service Provider (ISP)) or an Internet Exchange Point (IXP).

Working Together with APNIC on Routing Security and MANRS in Asia Pacific

The Internet Society and APNIC signed a Memorandum of Understanding (MoU) to cooperate in supporting the MANRS initiative in the Asia Pacific Region. Paul Wilson (APNIC) and Rajnesh Singh (ISOC) signed the MoU in Brisbane, Australia on 13 June 2018.

It’s an exciting moment for everyone who believes that Internet routing security issues can be resolved through collaboration, providing limitless opportunities for good. The MoU formalises the existing long-term relationship between the two organizations to have a global, open, stable and secure Internet.

The MoU focuses on capacity building to undertake initiatives and activities to promote awareness of MANRS in the Asia-Pacific region, to cooperate and render mutual assistance, and to encourage the attendance of APNIC members to meetings, seminars, workshops and/or conferences on routing security.

Both organizations have agreed to exchange research information and training materials (whether printed, audio or visual) related to routing security in general. APNIC has a proven record of delivering hands-on and online quality training and providing analytical research data.

We look forward to welcoming more MANRS members from the Asia Pacific region, and working together with APNIC to improve routing security around the world.

New Video Explains Routing Security and How MANRS Can Help

Routing security can be a difficult topic to explain. It’s technical. It’s filled with industry jargon and acronyms. It’s, well, nerdy. But routing security is vital to a stable and secure future Internet, the Mutually Agreed Norms for Routing Security (MANRS) initiative has been working hard for several years now to make the Internet a safer place. To help explain, at a very high level, some of the major routing security issues and how MANRS can help address them, we’re pleased to announce a new explanatory video.

Available with English, French, and Spanish subtitles, this short new video explains three major incidents that can lead to things like denial of service attacks, surveillance, and lost revenue:

  • Route Hijacking – when one network operator or attacker impersonates another
  • Route Leak – when a network operator unintentionally announces that it has a route to a destination
  • IP Address Spoofing – when fake source IP addresses hide a sender’s identity

Network operators of all sizes have a role to play in securing the Internet’s routing infrastructure. By implementing the four simple MANRS Actions, together we can make significant improvements to reduce the most common routing threats. Those four actions are:

  • Filtering – making sure your and your customers’ routing announcements are correct
  • Anti-spoofing – enabling source address validation to prevent spoofed packets from entering or leaving your network
  • Coordination – maintaining globally accessible contact information in common places such as the PeeringDB, RIR whois databases, and your own website.
  • Global Validation – publishing your data, including your routing policy and prefixes you intend to advertise, so your routing information can be validated by third parties.

Your security depends on others, and your actions affect the security of others. By implementing these four simple, non-disruptive MANRS actions, together we can protect the core.

Please watch the video, visit the full list of MANRS Actions for network operators, and join today!

MANRS Implementation Guide Published as RIPE 706

The MANRS initiative’s set of Best Current Operational Practices has received recognition from the RIPE community by being published as RIPE-706.

MANRS helps network operators around the world improve the security and resilience of the global routing system through four actions that include filtering, anti-spoofing, coordination and support for global validation. It currently involves over 85 organisations encompassing nearly 200 Autonomous Systems around the world, including some of the largest ISPs.

The MANRS BCOP offers guidance on how to practically implement each of the MANRS actions, based on the operational experiences of numerous network operators around the world. It’s a must read for those working with the global routing system, as routing security is a shared responsibility and needs commitment to good practices from all its participants.

The RIPE documents are developed and approved by the RIPE community, having been published since 1989. They include technical and operational recommendations, as well as policy, procedural and organisational documents. The publication of RIPE-706 represents community recognition of the MANRS principles and the importance of a commitment to routing security.

The MANRS initiative would like to thank David Freedman, Brian Foust, Barry Greene, Ben Maddison, Andrei Robachevsky, Job Snijders and Sander Steffann who were the primary authors of the document, but also all those who provided comment and feedback, and those who translated it into other languages.

If you’re interested in signing-up to MANRS, join here.

CAIDA Spoofer Project Improves Routing Security by Publicizing Spoofed Source Address Packets

This week, the Center for Applied Internet Data Analysis (CAIDA) announced that:

“In response to feedback from operational security communities, CAIDA’s source address validation measurement project (https://spoofer.caida.org) is automatically generating monthly reports of ASes originating prefixes in BGP for systems from which we received packets with a spoofed source address. We are publishing these reports to network and security operations lists in order to ensure this information reaches operational contacts in these ASes.”

We see this as a positive step forward for routing security. Anti-spoofing is one of the major MANRS Actions for network operators, and in fact we’ve been asking prospective MANRS participants to run Spoofer for some time now.

IP source address spoofing is when fake source addresses hide a sender’s identity or impersonate someone else. This can be exploited in various ways, most notably to execute Denial of Service (DoS) attacks that send traffic to the spoofed address. To combat this, MANRS calls for anti-spoofing — enabling source address validation to prevent spoofed packets from entering or leaving your network.

You can check the anti-spoofing capabilities of your own network by downloading the software here. And of course, you can read all about the Anti-spoofing component of MANRS here.

Together, we can make the Internet a better place and Protect The Core!

MANRS, IXPs, and Routing Security in the News

It’s been a busy couple of weeks for routing security. First, on 23 April, we introduced a new category of MANRS participants aimed specifically at Internet Exchange Points. Then, just two days later, we learned about yet another BGP hijacking wreaking havoc, which could have been avoided if more networks across the globe implemented the MANRS for Network Operators Actions.

All of this has resulted in several news articles recently. Here’s a roundup of the coverage.

Related to the IXP Programme:

And articles relating MANRS as a solution for BGP hijacking:

It’s great to see MANRS and routing security getting the media coverage it deserves. We encourage all network operators and IXPs to join MANRS as we work together to improve the security and resilience of the Internet’s routing system.

A Deeper Dive into the Amazon Route 53 BGP Hijack

Yesterday, we reported some initial news and details about the Amazon Route 53 BGP hijack that resulted in a loss to some cryptocurrency users.

Today on the Internet Society blog, Aftab Siddiqui presents a more technical dive into what exactly happened, using data from Isolario, RIPE Stats, and various reports from organizations who monitor Internet routing and health.

It’s an interesting read, and once again points out how MANRS can help alleviate future incidents. In fact, the Actions called for in MANRS for Network Operators were in place by a few network operators involved in this incident, which helped mitigate some of the damage. From Aftab’s post:

This problem could have been easily avoided if Hurricane Electric (AS6939), 1&1 Internet SE (AS8560), Shaw Communications Inc. (AS6327), and BroadbandOne/WV Fibre (AS19151) had prefix filtering in place. Thankfully, Level3 (AS3356), Cogentco (AS174), and NTT (AS2914) are all MANRS members and had prefix filters in place, or the damage would have been much bigger. As per Dyn they recorded only 15% of their nodes received malicious specific advertisement originated from AS10297, while NLNOG-RING (AS199036) were getting 87 unique paths to 205.251.192.0/23 (one of the Route53 prefix) originating from Amazon (AS16509) at 10am UTC. But when the attack started at 11:05 UTC they installed 15 new paths for 205.251.192.0/24 (one of the malicious more specific prefix) originated from eNET (AS10297). Out of those 15 unique paths, 12 of them were coming via Hurricane Electric (AS6939).

We encourage you to read the whole deep dive, and of course to implement the MANRS Actions (for network operators or for IXPs) and to join the MANRS community of security-minded organizations.

Together, we can protect the core!

Another BGP Hijacking Event Highlights the Importance of MANRS and Routing Security

Another BGP hijacking event is in the news today. This time, the event is affecting the Ethereum cryptocurrency. (Read more about it here, or here.) Users were faced with an insecure SSL certificate. Clicking through that, like so many users do without reading, they were redirected to a server in Russia, which proceeded to empty the user’s wallet. DNSSEC is important to us, so please check out the Deploy360 DNSSEC resources to make sure your domain names are protected. In this post, though, we’ll focus on the BGP hijacking part of this attack.

What happened?

First, here’s a rundown of routing attacks on cryptocurrency in general – https://btc-hijack.ethz.ch/.

In this case specifically, the culprit re-routed DNS traffic using a man in the middle attack using a server at an Equinix data center in Chicago. Cloudflare has put up a blog post that explains the technical details. From that post:

“This [hijacked] IP space is allocated to Amazon(AS16509). But the ASN that announced it was eNet Inc(AS10297) to their peers and forwarded to Hurricane Electric(AS6939).

“Those IPs are for Route53 Amazon DNS servers. When you query for one of their client zones, those servers will reply.

“During the two hours leak the servers on the IP range only responded to queries for myetherwallet.com. As some people noticed SERVFAIL.

“Any DNS resolver that was asked for names handled by Route53 would ask the authoritative servers that had been taken over via the BGP leak. This poisoned DNS resolvers whose routers had accepted the route.

“This included Cloudflare DNS resolver 1.1.1.1. We were affected in Chicago, Sydney, Melbourne, Perth, Brisbane, Cebu, Bangkok, Auckland, Muscat, Djibouti and Manilla. In the rest of the world, 1.1.1.1 worked normally.”

What does this have to do with MANRS and routing security?

Mutually Agreed Norms for Routing Security (MANRS) calls for four simple, but concrete actions ALL network operators should take to reduce the most common routing threats. The first is filtering, which prevents the propagation of incorrect routing information. (The others are anti-spoofing, address validation, and global coordination.) If all the operators along the path had implemented the MANRS actions – especially filtering – this would not have propagated across the Internet like it did.

For example, eNET also peers with Level3 (AS3356) and NTT (AS2914), but those operators didn’t forward the wrong information because they are MANRS compliant. (Other MANRS participants are listed here.)

Security Boulevard has also published a short recap of this BGP hijack event and called out MANRS as a potential solution.

What are you waiting for?

This can still happen at any time. Network operators have a responsibility to ensure a globally robust and secure routing infrastructure. Your network’s safety depends on a routing infrastructure that weeds out bad actors and accidental misconfigurations that wreak havoc on the Internet. The more network operators work together, the fewer incidents there will be, and the less damage they can do.

Learn more about MANRS here. Implement the four actions for network operators and join the communityof security-minded operators working together to make the Internet safer for everyone.

Introducing a New MANRS IXP Programme for Routing Security

Today, we are pleased to announce that MANRS is getting a new category of members – IXPs. The MANRS IXP Programme introduces a separate membership category for IXPs with a set of security actions to address the unique needs and concerns of IXPs.

The ten founding participants are Asteroid (International), CABASE (Argentina), CRIX (Costa Rica), DE-CIX (Germany), INEX (Ireland), MSK-IX (Russia), Netnod (Sweden), RINEX (Rwanda), TorIX (Canada), and YYCIX (Canada).

Programme participation provides an opportunity for an IXP to demonstrate its attention to the security and sustainability of the Internet ecosystem and, therefore, its dedication to providing high-quality services.

The IXP Action set was developed by a group of IXPs from all around the world and was presented at multiple IXP fora for discussion and feedback. We hope that with IXPs as partners, their ISP members will join the Network Operator category of MANRS.

Participation in the MANRS IXP Programme requires an IXP to implement and document a majority of the IXP Programme Actions (at least three out of five). Actions 1 and 2 are mandatory, and the IXP must implement at least one additional Action. Here are the five Actions:

  1. Facilitate prevention of propagation of incorrect routing information
  2. Promote MANRS in the IXP’s membership
  3. Protect the peering platform
  4. Facilitate global operational communication and coordination between network operators
  5. Provide monitoring and debugging tools to members

The full set of Actions for IXPs can be found here: https://www.manrs.org/participants/ixp/

The IXP Programme founding participants have taken these actions, which establish a security baseline that many IXPs may already surpass and from which others can build.

All IXPs are invited to join this new Programme! Read more about the Actions here, sign up to join here, or see the list of participants here. You can also read the full press release about the new Programme.

Supporting Quotes from Initial Participants

“Asteroid has a strong focus on security, so we are proud to be a founding participant in MANRS. IXPs are often at the heart of the local operators’ community, and we believe it’s our responsibility to lead by example and to promote routing security. MANRS is an opportunity for us all to lift the standard of our shared security responsibility,” said Andy Davidson, CTO, Asteroid.

“Our community has matured to formalize “good-order rules.” Usually, the participants of the IX have already observed all the stipulated norms, but now we will have a formal document that the interested persons will be able to sign. It was important for our participants (over 95% use the Route Server service) that MSK-IX take on the role of arbiter,” says Alexander Ilin, Chief Technical Officer, MSK-IX.

“We at DE-CIX are proud to support the MANRS IXP Programme as a founding participant with our knowledge and experience. It is time for IXPs to take responsibility to make the Internet a more secure and resilient place,” said Christoph Dietzel, Head of Research & Development at DE-CIX.

“We are very proud to be involved with the MANRS IXP Programme. Securing Internet routing has clear benefits not just for IXP members and their customers but for end users and the global internet community as a whole”, says Mattias Karlsson, Head of Engineering, Netnod.

Routing Security and MANRS at EURO-IX This Week

This week, Andrei Robachevsky will be talking about routing security in general and MANRS in particular at Euro-IX in Galway, Ireland. The European Internet Exchange Association (Euro-IX) gathers 83 Internet Exchange Points (IXPs) from around the world. It was formed in May 2001 with the intention to develop, strengthen and improve the IXP community.

The MANRS Actions were initially designed for network operators, but IXPs also play an active role in protecting the Internet. IXPs represent active communities with common operational objectives and already contribute to a more resilient and secure Internet infrastructure. Euro-IX is an opportunity to highlight the many ways IXPs can contribute to the overall health and resilience of the routing system by joining MANRS.

MANRS can help IXPs build safe neighborhoods, leveraging the MANRS security baseline. It also demonstrates an IXP’s commitment to security and sustainability of the Internet ecosystem, and dedication to providing high quality services.

IXPs are important partners in the MANRS community

IXPs can be a collaborative focal point to discuss and promote the importance of routing security. To address the unique needs and concerns of IXPs, the community is creating a related but separate set of MANRS actions for IXP members. We’ll explain more about the upcoming MANRS IXP Programme and invite IXPs to join once the program launches.

If you’ll be in Galway, please let us know!