jro-grafik - Fotolia

What does the expansion of MANRS mean for BGP security?

The Internet Society expanded MANRS to crack down on BGP security. Expert Michael Cobb explains what MANRS is and its implications for BGP server security.

The Internet Society has moved to cut down on BGP server attacks that hijack routers and use spoofed IP addresses. The ISOC is doing this through an expansion of Mutually Agreed Norms for Routing Security. What is MANRS, and what does this mean for BGP security?

The Border Gateway Protocol (BGP) is an inter- and intra-autonomous system routing protocol used to exchange routing and reachability information so network traffic can reach its destination in the quickest possible time. Routes learned via BGP have properties that are used to determine the best route to a destination when multiple paths exist.

Routing is one of the most critical subsystems of the internet infrastructure, but well-known weaknesses in the way BGP servers exchange routing information continue to enable hackers to use spoofed IP addresses, impersonate a network and hijack routes.

By design, routers running BGP accept advertised routes from other BGP routers. This enables automatic and decentralized routing of traffic across the internet, but it also leaves the internet potentially vulnerable to accidental or malicious disruptions.

According to the Internet Society (ISOC), there were 14,000 routing outages or incidents in 2017. These included hijacking, leaks, spoofing and large-scale denial-of-service attacks that resulted in stolen data, lost revenue and reputational damage.

For example, traffic from Apple, Facebook, Google and Microsoft was rerouted to a small Russian ISP. This year has also seen cybercriminals hijack Amazon Web Services' domain name system traffic and reroute traffic destined for the cryptocurrency website MyEtherWallet to a server in Russia, enabling attackers to steal about $150,000 in cryptocurrency.

As routing and BGP security is so important to the stability of the internet, in 2014, the ISOC launched the Mutually Agreed Norms for Routing Security (MANRS) initiative with the purpose of eliminating common routing threats by promoting security and resilience of the global routing system within the network operator community. MANRS promotes four main actions that those involved in internet routing can take to reduce the threat of route hijacking, route leaking and the use of spoofed IP addresses: filtering, anti-spoofing, coordination and global validation.

But for MANRS to have a real impact, it needs the collaboration and coordinated actions of all the relevant participants, so the ISOC has expanded the MANR initiative to include a new program aimed at internet exchange points (IXPs). IXPs are physical exchange points where network operators are able to exchange traffic between internet service providers.

The MANRS for IXP program launched with just 10 of the 630 registered IXPs signed up. The 10 include several of the biggest IXPs in terms of number of members and traffic volume, but it's a long way from becoming a universally agreed upon standard.

It's certainly a step in the right direction, and hopefully, the ISOC can reach a tipping point where participation in and access to the routing system itself is limited to only those who abide by its recommendations and policies. Until then, weaknesses in BGP security will continue to be exploited to the detriment of everyone who uses the internet.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Dig Deeper on Threat detection and response