Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/3/2017
04:36 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Standards Will Shore up Internet Router Security

The BGP Path Validation draft standards were designed to ensure that Internet traffic flows only along digitally signed, authorized paths.

Industry efforts to strengthen the critical Border Gateway Protocol (BGP) system that the Internet's core routers use to direct traffic received a boost this week with the release of new draft standards by the Internet Engineering Task Force (IETF).

The standards center around a security feature called BGP Path Validation and are designed to ensure that Internet traffic is not accidentally or maliciously intercepted and rerouted as it travels from one point to another. Such interception has resulted in network disruption, eavesdropping, and financial theft in recent years and has heightened concerns about the vulnerability of the BGP system to targeted attacks.

The new BGPsec standard describes the use of digital signatures on BGP routers so traffic from one point to another on the Internet only flows along an authorized, digitally signed path, the National Institute of Standards and Technology (NIST) announced Tuesday. "Employing this idea of “path validation” together with origin validation could deter stealthy attacks intended to reroute data without the recipient realizing it," NIST said.

BGP routers direct traffic on the Internet. Each autonomous system (AS) - or network on the Internet - has a BGP router containing routing information for thousands of Internet destinations. The BGP routers exchange the information with each other to ensure that traffic is routed safely from source to destination.

BGP has been in use since at least 1989. It is widely regarded as lacking sufficient protections to prevent malicious attackers from injecting poisoned routing data into the system and rerouting Internet traffic to their networks.  As far back as 2013, Internet service provider Dyn recorded multiple instances of traffic from individual IP blocks being misdirected to unintended destinations via BGP tampering. One of them involved traffic from the networks of major financial institutions, ISPs, and governments being rerouted to an ISP in Belarus. Another involved route hijacks from Iceland.

BGPsec is part of a broader industry initiative known as Secure Inter-Domain Routing (SIDR) to address the vulnerabilities that enable this sort of hijacking. One part of the SIDR effort has focused on BGP origin validation, ensuring that BGP routers are able to filter out unauthorized routing updates and only accept valid connections. The second component, which is what BGPsec addresses, is focused on validating the path that traffic takes as it flows from source to destination.

"BGP Origin Validation standards were completed in 2012-2013 and are implemented in most commercial routers," says Douglas Montgomery, a NIST researcher and manager of the NIST BGP project. All of the Resource Public Key Infrastructure (RPKI) that is required to support BGP origin validation is already in place at all five Internet regional registries, he says.

"The community's current focus is on expanding the adoption of RPKI and BGP-OV as the logical first step towards improving BGP security," Montgomery says. 

The implementation of new BGP path validation standard will take place in three stages.

First, commercial router implementations and RPKI services must become available for path validation. Then enterprises and network operators need to enter their address blocks, autonomous systems, and route origin in the RPKI. Finally, network operators need to use the RPKI information to identify forged BGP announcements and develop local policy to deal with the attempted hijacks, Montgomery said.

"It is hard to predict when BGP-PV will be widely deployed in the Internet," he says. "The design and standardization work in the IETF was conducted with the expectation that significant deployment might require [about] 10 years. "

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
CVE-2016-4606
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...