Editor’s note: This is an abridged version of a post that was first published on MANRS.org. Read the full version.
In January last year I looked back at 2017 trying to figure out how routing security looked like globally and on a country level. I used BGPStream.com – a great public service providing information about suspicious events in the routing system.
The metrics I used for this analysis were number of incidents and networks involved, either by causing such incidents, or being affected by them.
An ‘incident’ is a suspicious change in the state of the routing system that can be attributed to an outage or a routing attack, like a route leak or hijack (either intentional or due to a configuration mistake). BGPStream is an operational tool that tries to minimize false positives, so the number of incidents may be on the low side.
Of course, there are a few caveats with this analysis – since any route view is incomplete and the intents of the changes are unknown, there are false positives. Some of the incidents went under the radar. Finally, the country attribution is based on geo-mapping and sometimes gets it wrong.
However, even if there are inaccuracies in details, applying the same methodology for a new dataset – 2018 – gives us a pretty accurate picture of the evolution.
Here are the highlights of some changes in routing security in 2018, compared to 2017.
- 12,600 (a 9.6% decrease) total incidents (either outages or attacks, like route leaks and hijacks).
- Although the overall number of incidents was reduced, the ratio of outages vs routing security incidents remained unchanged – 62/38.
- About 4.4% (a decrease of 1%) of all Autonomous Systems on the Internet were affected.
- 2,737 (a decrease of 12%) Autonomous Systems were a victim of at least one routing incident.
- 1,294 (a 17% decrease!) networks were responsible for 4739 routing incidents (a 10.6% decrease).
The bottom line – we did much better last year than the year before. Is it accidental, or part of a positive trend? This is hard to say yet, although in my experience there is much more awareness, attention, and discussions of the challenges of routing security and helpful solutions recently.
Although comparing just two years cannot say a lot about a long-term trend, overall, I feel we are moving in the right direction. More awareness and attention to the issues of routing security in the network operator community, rejuvenated interest to RPKI and some positive trends I provided here support this.
I’d like to believe that efforts like MANRS also contributed to this positive trend. MANRS, an industry-driven initiative supported by the Internet Society, provides an opportunity to strengthen the community of security-minded operators and instigate a cultural change. MANRS defines a minimum routing security baseline that networks are required to implement to join. The more service providers join MANRS, the more gravity the security baseline gets, the more unacceptable will be lack of these controls, the fewer incidents there will be, and the less damage they can do.
This baseline is defined through four MANRS Actions:
- Filtering – Ensure the correctness of your own announcements and of announcements from your customers to adjacent networks with prefix and AS-path granularity
- Anti-spoofing – Enable source address validation for at least single-homed stub customer networks, your own end-users, and infrastructure
- Coordination – Maintain globally accessible up-to-date contact information
- Global Validation – Publish your data, so others can validate routing information on a global scale.
Maintaining up-to-date filters for customer announcements could mitigate many route leaks. Preventing address squatting could help ward off things like spam and malware. Keeping complete and accurate routing policy data in Internet Routing Registry (IRR) or Resource Public Key Infrastructure (RPKI) repositories are essential for global validation that helps prevent BGP prefix hijacking. Having updated contact information is vital to solving network emergencies quickly.
Last year the community also developed MANRS for IXPs. Another baseline, allowing an IXP to build “safe neighborhood” with the participating networks. Most important, and therefore mandatory for joining, Actions are:
- Prevent propagation of incorrect routing information. Requires IXPs to implement filtering of route announcements at the Route Server based on routing information data (IRR and/or RPKI).
- Promote MANRS to the IXP membership. IXPs joining MANRS are expected to provide encouragement or assistance for their members to implement MANRS actions.
In 2018 we saw a significant uptake in MANRS, too. In one year the number of participants more than doubled, reaching 120, and the MANRS IXP Programme grew up to 28 IXPs in a year.
Let us hope all the positive trends continue in 2019. And it is not hope alone – every network can influence this future. Because once connected to the Internet – we are part of the Internet.