Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

8/13/2019
02:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Internet Routing Security Initiative Launches Online 'Observatory'

Mutually Agreed Norms for Routing Security (MANRS) lets network operators and the public view online router incidents worldwide.

An Internet Society-backed effort to thwart malicious Internet traffic and abuse now tracks routing incidents online via a free tool that also shows how much of its agreed-upon set of routing security and resiliency practices that network providers worldwide have adopted to date.

The Mutually Agreed Norms for Routing Security (MANRS) initiative's new MANRS Observatory turns up the heat on network providers' compliance to filtering incorrect or malicious routing information; preventing spoofed source IP addresses; validating routing information; and coordinating among other network operators. MANRS, which launched in 2014, includes members such as Comcast, Google, and Microsoft, with more than 200 network operator members and 35 Internet exchange points. The initiative hopes to quell attacks on the Internet's routing infrastructure.

There were some 12,000 routing outages or attacks worldwide in 2018, the group says. One particularly painful incident last November misrouted Google's traffic through China after a Nigerian ISP misconfigured a routing protocol filter. The mistake ultimately took down the Net in several regions and raised privacy concerns. 

"Routing security remains a problem," says Andrei Robachevsky, senior technology program manager at the Internet Society. "Routing is often a target to affect other services" on the Internet, he says.

The MANRS Observatory in part is intended to give members a visual reality-check on where they stand in advancing the security and resiliency of the Internet routing infrastructure, according to Robachevsky. "We need to work at being more transparent and more measurable," he says. "It [puts] internal pressure on participants so they cannot hide behind state websites" of routing statistics.

Observatory has both a private and public interface, and it aggregates data from a number of third-party sources into a dashboard that helps spot trouble areas for network providers. "The tool allows you to see by region and country for your individual network," he says, and gives a read on the security of the provider's routing infrastructure.

Economic Challenges
Internet security expert Paul Vixie says one hurdle for network providers in adopting routing security practices such as source address validation is that it benefits their competitors. "If you're investing in making your network cleaner, you will not be the primary beneficiary. Your competitors will be, and that's often a tough sell."

He says the MANRS Observatory should help the initiative gain more traction. "MANRS makes it formal what it means to not be 'that guy'" with the insecure routing infrastructure, says Vixie, founder and CEO of Farsight Security.

Meanwhile, MANRS plans to recruit content delivery network providers and more equipment vendors, and to continuously evolve and expand Observatory with greater measurement capabilities and other functions.

"We see Observatory as a performance barometer," Robachevsky says. It can help network providers see routing problems they didn't know they had in certain regions, for example. "Another thing is social responsibility, the cornerstone of MANRS. Being transparent."

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/14/2019 | 3:31:17 PM
Great Article on Distance Vector Routing Algorithms
I submitted an RFI (Request for Information) to Florida Dept. of Transporation (FDOT) and it was based on TRILL, they wanted something like SPB (Shortest Path Bridging), but what I found to help address some of their traffic issues would be to implement a Distance Vector Routing Algorithm into the mix which redistributing the routes using R-bridges and IS-IS (Intermediate System Intermedia System).
dx(y) = minv{ c(x,v) + dv(y)}     for each node y in N

"Distance vector routing is an asynchronous algorithm in which node x sends the copy of its distance vector to all its neighbors. When node x receives the new distance vector from one of its neighboring vector, v, it saves the distance vector of v and uses the Bellman-Ford equation to update its own distance vector. The equation is given below" - Distance Vector Routing Algorithm or DRA for short

TRILL (Transparent Interconnection of Lots of Links), it uses R-Bridges; R=Route Bridges are used to communicate with each other by creating a grid. This grid could be used to connect the internet in a way where each link shares cost information with its surrounding neighbor; however, if there are links that go down, it uses the DRA to route traffic through another route-bridge. In this example, we can use R1, R2, R3 (indicative on the chart) to help route traffic across the globe without traffic being disrupted (self-healng and learning by creating a math matrix based upon specific factors). Dr. Injong Rhee (NC State Univ. professor, now with Samsung) came up wtih BIC-TCP and CUBIC to help address some of the routing problems with tcp windows adjustment size on the fly but that is for another conversation (CUBIC is used in VMware as part of its routing algorithm, but it has to be selected).

TRILL Link Connections

 

So even if we removed a route, connection or link, the system would be able to learn and route traffic by using another path, again the system has the ability to learn based on priority, path, speed, and congestion (the X, Y, Z are criteria and the numbers represent specific patterns and priorities associated with the network (TRILL - Link State Routing Algorithm and IS-IS can both work with IPv6 to address convergence issues because IPv6 addresses HOP/Distance count, MITM attacks,  Security (IPSec VPN) and it works with globlal routing protocols like MPLS and BGPv4 but if properly configured, TRILL could feed into IS-IS and IS-IS could feed into BGPv4 or MPLS. The links are represented by one count so the number of hops can be signficantly reduced thus improving performance and reduce routing cost/redundancy.



From a prior conversation, this would be a geat use case where ML can quantify better metrics and calculations identify improvements in the algorithms and routing security issues.

Possible ideas to ponder over.

T
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
6 Top Nontechnical Degrees for Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/21/2019
Anatomy of a BEC Scam
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11287
PUBLISHED: 2019-11-23
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header ca...
CVE-2019-11291
PUBLISHED: 2019-11-22
Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user w...
CVE-2019-15593
PUBLISHED: 2019-11-22
GitLab 12.2.3 contains a security vulnerability that allows a user to affect the availability of the service through a Denial of Service attack in Issue Comments.
CVE-2019-16285
PUBLISHED: 2019-11-22
If a local user has been configured and logged in, an unauthenticated attacker with physical access may be able to extract sensitive information onto a local drive.
CVE-2019-16286
PUBLISHED: 2019-11-22
An attacker may be able to bypass the OS application filter meant to restrict applications that can be executed by changing browser preferences to launch a separate process that in turn can execute arbitrary commands.