Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

8/13/2019
02:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Internet Routing Security Initiative Launches Online 'Observatory'

Mutually Agreed Norms for Routing Security (MANRS) lets network operators and the public view online router incidents worldwide.

An Internet Society-backed effort to thwart malicious Internet traffic and abuse now tracks routing incidents online via a free tool that also shows how much of its agreed-upon set of routing security and resiliency practices that network providers worldwide have adopted to date.

The Mutually Agreed Norms for Routing Security (MANRS) initiative's new MANRS Observatory turns up the heat on network providers' compliance to filtering incorrect or malicious routing information; preventing spoofed source IP addresses; validating routing information; and coordinating among other network operators. MANRS, which launched in 2014, includes members such as Comcast, Google, and Microsoft, with more than 200 network operator members and 35 Internet exchange points. The initiative hopes to quell attacks on the Internet's routing infrastructure.

There were some 12,000 routing outages or attacks worldwide in 2018, the group says. One particularly painful incident last November misrouted Google's traffic through China after a Nigerian ISP misconfigured a routing protocol filter. The mistake ultimately took down the Net in several regions and raised privacy concerns. 

"Routing security remains a problem," says Andrei Robachevsky, senior technology program manager at the Internet Society. "Routing is often a target to affect other services" on the Internet, he says.

The MANRS Observatory in part is intended to give members a visual reality-check on where they stand in advancing the security and resiliency of the Internet routing infrastructure, according to Robachevsky. "We need to work at being more transparent and more measurable," he says. "It [puts] internal pressure on participants so they cannot hide behind state websites" of routing statistics.

Observatory has both a private and public interface, and it aggregates data from a number of third-party sources into a dashboard that helps spot trouble areas for network providers. "The tool allows you to see by region and country for your individual network," he says, and gives a read on the security of the provider's routing infrastructure.

Economic Challenges
Internet security expert Paul Vixie says one hurdle for network providers in adopting routing security practices such as source address validation is that it benefits their competitors. "If you're investing in making your network cleaner, you will not be the primary beneficiary. Your competitors will be, and that's often a tough sell."

He says the MANRS Observatory should help the initiative gain more traction. "MANRS makes it formal what it means to not be 'that guy'" with the insecure routing infrastructure, says Vixie, founder and CEO of Farsight Security.

Meanwhile, MANRS plans to recruit content delivery network providers and more equipment vendors, and to continuously evolve and expand Observatory with greater measurement capabilities and other functions.

"We see Observatory as a performance barometer," Robachevsky says. It can help network providers see routing problems they didn't know they had in certain regions, for example. "Another thing is social responsibility, the cornerstone of MANRS. Being transparent."

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/14/2019 | 3:31:17 PM
Great Article on Distance Vector Routing Algorithms
I submitted an RFI (Request for Information) to Florida Dept. of Transporation (FDOT) and it was based on TRILL, they wanted something like SPB (Shortest Path Bridging), but what I found to help address some of their traffic issues would be to implement a Distance Vector Routing Algorithm into the mix which redistributing the routes using R-bridges and IS-IS (Intermediate System Intermedia System).
dx(y) = minv{ c(x,v) + dv(y)}     for each node y in N

"Distance vector routing is an asynchronous algorithm in which node x sends the copy of its distance vector to all its neighbors. When node x receives the new distance vector from one of its neighboring vector, v, it saves the distance vector of v and uses the Bellman-Ford equation to update its own distance vector. The equation is given below" - Distance Vector Routing Algorithm or DRA for short

TRILL (Transparent Interconnection of Lots of Links), it uses R-Bridges; R=Route Bridges are used to communicate with each other by creating a grid. This grid could be used to connect the internet in a way where each link shares cost information with its surrounding neighbor; however, if there are links that go down, it uses the DRA to route traffic through another route-bridge. In this example, we can use R1, R2, R3 (indicative on the chart) to help route traffic across the globe without traffic being disrupted (self-healng and learning by creating a math matrix based upon specific factors). Dr. Injong Rhee (NC State Univ. professor, now with Samsung) came up wtih BIC-TCP and CUBIC to help address some of the routing problems with tcp windows adjustment size on the fly but that is for another conversation (CUBIC is used in VMware as part of its routing algorithm, but it has to be selected).

TRILL Link Connections

 

So even if we removed a route, connection or link, the system would be able to learn and route traffic by using another path, again the system has the ability to learn based on priority, path, speed, and congestion (the X, Y, Z are criteria and the numbers represent specific patterns and priorities associated with the network (TRILL - Link State Routing Algorithm and IS-IS can both work with IPv6 to address convergence issues because IPv6 addresses HOP/Distance count, MITM attacks,  Security (IPSec VPN) and it works with globlal routing protocols like MPLS and BGPv4 but if properly configured, TRILL could feed into IS-IS and IS-IS could feed into BGPv4 or MPLS. The links are represented by one count so the number of hops can be signficantly reduced thus improving performance and reduce routing cost/redundancy.



From a prior conversation, this would be a geat use case where ML can quantify better metrics and calculations identify improvements in the algorithms and routing security issues.

Possible ideas to ponder over.

T
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19729
PUBLISHED: 2019-12-11
An issue was discovered in the BSON ObjectID (aka bson-objectid) package 1.3.0 for Node.js. ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to the user-input, because bson-objectid will return early if it detects _bsontype==ObjectID in the user-inpu...
CVE-2019-19373
PUBLISHED: 2019-12-11
An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can trigger arbitrary unserialization of a PHP object from a packages/cms/page_templates/page_remote_content/page_remote_content.inc POST parame...
CVE-2019-19374
PUBLISHED: 2019-12-11
An issue was discovered in core/assets/form/form_question_types/form_question_type_file_upload/form_question_type_file_upload.inc in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can delete arbitrary files from the se...
CVE-2014-7257
PUBLISHED: 2019-12-11
SQL injection vulnerability in DBD::PgPP 0.05 and earlier
CVE-2013-4303
PUBLISHED: 2019-12-11
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-s...