Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What does the expansion of MANRS mean for BGP security?

The Internet Society expanded MANRS to crack down on BGP security. Expert Michael Cobb explains what MANRS is and its implications for BGP server security.

The Internet Society has moved to cut down on BGP server attacks that hijack routers and use spoofed IP addresses....

The ISOC is doing this through an expansion of Mutually Agreed Norms for Routing Security. What is MANRS, and what does this mean for BGP security?

The Border Gateway Protocol (BGP) is an inter- and intra-autonomous system routing protocol used to exchange routing and reachability information so network traffic can reach its destination in the quickest possible time. Routes learned via BGP have properties that are used to determine the best route to a destination when multiple paths exist.

Routing is one of the most critical subsystems of the internet infrastructure, but well-known weaknesses in the way BGP servers exchange routing information continue to enable hackers to use spoofed IP addresses, impersonate a network and hijack routes.

By design, routers running BGP accept advertised routes from other BGP routers. This enables automatic and decentralized routing of traffic across the internet, but it also leaves the internet potentially vulnerable to accidental or malicious disruptions.

According to the Internet Society (ISOC), there were 14,000 routing outages or incidents in 2017. These included hijacking, leaks, spoofing and large-scale denial-of-service attacks that resulted in stolen data, lost revenue and reputational damage.

For example, traffic from Apple, Facebook, Google and Microsoft was rerouted to a small Russian ISP. This year has also seen cybercriminals hijack Amazon Web Services' domain name system traffic and reroute traffic destined for the cryptocurrency website MyEtherWallet to a server in Russia, enabling attackers to steal about $150,000 in cryptocurrency.

As routing and BGP security is so important to the stability of the internet, in 2014, the ISOC launched the Mutually Agreed Norms for Routing Security (MANRS) initiative with the purpose of eliminating common routing threats by promoting security and resilience of the global routing system within the network operator community. MANRS promotes four main actions that those involved in internet routing can take to reduce the threat of route hijacking, route leaking and the use of spoofed IP addresses: filtering, anti-spoofing, coordination and global validation.

But for MANRS to have a real impact, it needs the collaboration and coordinated actions of all the relevant participants, so the ISOC has expanded the MANR initiative to include a new program aimed at internet exchange points (IXPs). IXPs are physical exchange points where network operators are able to exchange traffic between internet service providers.

The MANRS for IXP program launched with just 10 of the 630 registered IXPs signed up. The 10 include several of the biggest IXPs in terms of number of members and traffic volume, but it's a long way from becoming a universally agreed upon standard.

It's certainly a step in the right direction, and hopefully, the ISOC can reach a tipping point where participation in and access to the routing system itself is limited to only those who abide by its recommendations and policies. Until then, weaknesses in BGP security will continue to be exploited to the detriment of everyone who uses the internet.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

This was last published in August 2018

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Will expanding MANRS to include a new program aimed at IXPs sufficiently improve BGP security? If so, how long will it take to be effective?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close