Internet Society © 1992–2016

TwoyearsofgoodMANRS- ImprovingGlobalRoutingSecurityandResilience

MANRS

AftabSiddiquisiddiqui@isoc.org

September2017

InternetRouting– whatistheproblem?

• Internetroutinginfrastructureisvulnerable• Trafficcanbehijacked,blackholed ordetoured• Trafficcanbespoofed• Fat-fingersandmaliciousattacks

• BGPisbasedontrust• Nobuilt-invalidationofthelegitimacyof updates

2

https://bgpstream.com/

Notadaywithoutanincidentdatasource:http://bgpstream.com/

40

20

40

60

80

100

120

1/1/17 2/1/17 3/1/17 4/1/17 5/1/17 6/1/17 7/1/17 8/1/17

6monthofsuspicious activity

Hijack

Leak

What’sbehindtheseincidents?

• IP prefix hijack• AS announces prefix it doesn’t originate• AS announces more specific prefix than what may be announced by originating AS• Packets end-up being forwarded to a wrong part of Internet• Denial-of-Service, traffic interception, or impersonating network or service

• Route leaks• Similar to prefix hijacking• Usually not malicious and due to misconfigurations• But may also aid traffic inspection and reconnaissance

• IP address spoofing• Creation of IP packets with false source address• The root cause of reflection DDoS attacks

5

Aretheresolutions?

• Yes!• PrefixandAS-PATHfiltering,RPKI…• BGPSECunderdevelopmentattheIETF• Whois,RoutingRegistriesandPeeringdatabases

• But…• Lackofdeployment• Lackofreliabledata

6

MutuallyAgreedNormsforRoutingSecurity(MANRS)

MANRSdefinesfourconcreteactionsthatnetworkoperatorsshouldimplement

• Technology-neutralbaselineforglobaladoption

MANRSbuildsavisiblecommunityofsecurity-mindedoperators

• Promotescultureofcollaborativeresponsibility

7

GoodMANRS

• Filtering – Preventpropagationofincorrectroutinginformation• Ownannouncementsandthecustomercone

• Anti-spoofing – PreventtrafficwithspoofedsourceIPaddresses• Single-homedstubcustomersandowninfra

• Coordination – Facilitateglobaloperationalcommunicationandcoordinationbetweennetworkoperators

• Up-to-dateandresponsivepubliccontacts

• Global Validation – Facilitatevalidationofroutinginformationonaglobalscale• Publishyourdata,sootherscanvalidate

8

0

20

40

60

80

100

120

140

160

180

2014 2015 2016 2017(sofar)

#ofAS

#ofAS

TwoyearsofMANRS

9

MANRS members by # of AS

IncreasinggravitybymakingMANRSaplatformforrelatedactivities• Developingbetterguidance

• MANRSBestCurrentOperationalPractices(BCOP)document:http://www.routingmanifesto.org/bcop/

• Training/certificationprogramme• BasedonBCOPdocumentandanonlinemodule

• Bringingnewtypesofmembersonboard• IXPs

10

Leveragingmarketforcesandpeerpressure

• Developingabetter“businesscase”forMANRS• MANRSvaluepropositionforyourcustomersandyourownnetwork

• Creatingatrustedcommunity• Agroupwithasimilarattitudetowardssecurity

11

IsthereabusinesscaseforMANRS?

12

StudyMethodology

• Examiningperceptionsandexpectations• Questionnaire-based study

• Assessmentagainstexisting451Researchdata• Commonperceptionelements

• Service providers• Initialtargeting interviews

• Globaldemographic• 25telephoneinterviews

• EnterpriseInternetteams• 250webquestionnaires• 1,000 employeeminimum• PrimarilyNorthAmerica

13

14%

14%

11%

10% 10%

8%

8%

6%

19%

EnterpriseDemographics

Manufacturing

ProfessionalServices

Retail

Telecommunications

Health

Financial

Insurance

Construction

Other

Demographics

14

12%

8%

24%

8%

20%

28%

ServiceProviderSize

100-499

500-999

1000-2499

2500-4999

5000-9999

10000+

46%

24%

15%

15%

EnterpriseSize

1000-2499

2500-4999

5000-9999

10000+

Abusinesscaseforanenterprise

15

EnterprisesAreConcernedAboutSecurity

• Acorevalueforamajority

16

0%

10%

20%

30%

40%

50%

1000- 2499 2500 - 4999 5000 - 9999 10,000+

PrimaryCoreValue

PartofOurValues

NotDistinguishing

EnterpriseConcernsAroundSecurity

• Widelyvaryingconcernsacrossarangeofissues

• AndconfidencethatMANRScanhelp

17

0%

10%

20%

30%

40%

50%

60%

70%

80%

DDoS Traffichijacking Addressspoofing Availability Blacklisting

57%

74%

57%

46%

28%

InternetSecurityConcerns

AndEnterprisesareWillingtoPayforMANRS

• Significantvalueonsecurityposture

• Medianpremium of15%• 13%wouldonlychooseMANRScompliantproviders

18

0

10

20

30

40

50

60

70

no 5%more 10% 15% 20% 25% IwouldonlychooseaMANRS

Compliantservices

Q: Would you pay a premium for MANRS compliant services?

EnterpriseConclusions

• Greatopportunityforserviceproviders• Whilenotwellknownbyenterprises(yet),MANRSattributesarehighlyvalued• EnterprisescareaboutsecurityandbelieveMANRScanhelp• EnterprisesarewillingtoputMANRScomplianceintoRFPsandrequireitoftheirserviceproviders

19

AbusinesscaseforanISP

20

ServiceProviderAwareness

21

0

1

2

3

4

5

6

7

8

9

10

AwareofwhatMANRSis FamiliarwithsomedetailsofMANRS

HeardofMANRS NeverheardofMANRS

Awareness

MANRSEffectiveness

22

0

2

4

6

8

10

12

14

16

18

Today Future

NotatAll

Some

Very

Q: How effective do you think MANRS is/could be in improving Internet security?

MANRSSecurityImprovements

23

Internet

Largeimprovement

Someimprovement

Noimprovement

Organization

Largeimprovement

Someimprovement

Noimprovement

Q: Do you see MANRS as having a significant effect on improving Internet security/your organization’s security?

ServiceProviderMotivations

24

0%

5%

10%

15%

20%

25%

30%

35%

40%

Beingagoodinternetcitizen

Beingmoresecure Increasingoperatingefficiency

Regulatorycompliance

16%

36%

12%

36%

ReasonsforImplementation

Q: Which aspect of MANRS would provide the greatest reason for implementing for your organization?

ServiceProviderConclusions

• Cautious enthusiasm,butmarketmisperceptions• MuchsupportfortheactionsandhighexpectationsforthechangeMANRScouldmakeonindividualorganizationsandtheInternetasawhole,ifimplementedwidely

• Challengesindecisionprocess• Technical teamsdrivefor64%• Technicalteamshaveauthorityin4%

• Limitedexpectationsofenterprisevalue• ImplementingMANRSandmarketinganincreasedsecurityposturetoenterprisescanserveasabusinessdifferentiatorandtranslateintoincreasedrevenue

• Possibilityforadd-onsecurityservicestocustomersbasedonimplementingMANRSactions

25

ResourceStatistics

26

27

No. of ASNs: 2183

Data Source: http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest

28

No. of IPv6 Prefixes: 1126

Data Source: http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest

29

No. of IPv4 Prefixes: 7462

Data Source: http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest

30

No. of Prefixes Announced: 16794

31

Top 3AS38719 – Dream Scape Networks

AS9512 – Net Logistics Pty LtdAS35803 – Digital Pacific

Top 3AS55795– Verb Data CentreAS58979 – Cloud Registry

AS10145 – Secure IP

BogusPrefixes/ASNsfromAustralia

32

33

Possible Bogus PrefixesPrefix OriginAS ASDescription PeerAS PeerASDesc.45.124.164.0/22 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenit PtyltdAustralia,AU AS4826 Vocus45.124.164.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenit PtyltdAustralia,AU AS4826 Vocus45.124.165.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenit PtyltdAustralia,AU AS4826 Vocus45.124.166.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenit PtyltdAustralia,AU AS4826 Vocus45.124.167.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenit PtyltdAustralia,AU AS4826 Vocus103.20.219.0/24 AS55795 VERBDC1-AS-APVerbDataCentrePtyLtd,AU AS17819 Equinix103.58.216.0/22 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenit PtyltdAustralia,AU AS4826 Vocus103.58.216.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenitPtyltdAustralia,AU AS4826 Vocus103.58.217.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenitPtyltdAustralia,AU AS4826 Vocus103.58.218.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenitPtyltdAustralia,AU AS4826 Vocus103.58.219.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenitPtyltdAustralia,AU AS4826 Vocus119.160.232.0/21 AS132070 INTERVOLVE-BRISBANE-AS-APInterhost PacificPtyLtdt/aIntervolve.,AU - -203.89.101.0/24 AS9499 SUPERLOOP-AS-APSUPERLOOP(AUSTRALIA)PTYLTD,AU AS24093 BigAir203.89.103.0/24 AS9499 SUPERLOOP-AS-APSUPERLOOP(AUSTRALIA)PTYLTD,AU AS24093 BigAir203.89.107.0/24 AS9499 SUPERLOOP-AS-APSUPERLOOP(AUSTRALIA)PTYLTD,AU AS24093 BigAir220.152.112.0/21 AS23871 AINS-AS-APAustraliaInternetSolutions,AU AS7474 Optus

http://www.cidr-report.org/as2.0/

34

Possible Bogus ASNsAS55481 Announcedby AS1221 ASN-TELSTRATelstraPtyLtd,AUAS64521 Announcedby AS9822 AMNET-AU-APAmnetITServicesPtyLtd,AUAS64627 Announcedby AS23871 AINS-AS-APAustraliaInternetSolutions,AUAS65315 Announcedby AS134188 NTTDATAVTS-AS-APNTTDATAVictorianTicketingSystemPtyLtd,AUAS65535 Announcedby AS133178 ACABPS-AS-APAustralianCustomsandBorderProtectionService,AUAS4294836336 Announcedby AS2764 AAPTAAPTLimited,AUAS4294836363 Announcedby AS2764 AAPTAAPTLimited,AUAS4294836392 Announcedby AS2764 AAPTAAPTLimited,AUAS4294836409 Announcedby AS2764 AAPTAAPTLimited,AUAS4294836414 Announcedby AS2764 AAPTAAPTLimited,AUAS4294836444 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901860 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901861 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901863 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901864 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901865 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901866 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901867 Announcedby AS2764 AAPTAAPTLimited,AU

http://www.cidr-report.org/as2.0/

35

AS4294901868 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901869 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901870 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901874 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901875 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901876 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901878 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901879 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901880 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901881 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901882 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901884 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901886 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901888 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901889 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901890 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901891 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901892 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901893 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901894 Announcedby AS2764 AAPTAAPTLimited,AU

Possible Bogus ASNs

http://www.cidr-report.org/as2.0/

36

AS4294901895 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901896 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901897 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901898 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901900 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901901 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901902 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901903 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901904 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901906 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901908 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901909 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901910 Announcedby AS2764 AAPTAAPTLimited,AU

Possible Bogus ASNs

http://www.cidr-report.org/as2.0/

37

Session Timestamp ClientPrefix ASN NAT SpoofPrivate

SpoofRoutable

AdjacencySpoofing

228714 2017-05-2312:47:28 180.214.94.x/24 9268(OVERTHEWIRE-AS-AP) no received received /8

160215 2017-03-0705:01:32 125.63.49.x/24 45570 (NETPRES-AS-AP) no received received /8

138763 2017-02-0205:34:04

117.120.47.x/24 4851(HOSTNETWORKS-AS-AU-AP) no blocked blocked /21

2402:e400:10xx::/40 4851(HOSTNETWORKS-AS-AU-AP) no received received none

134201 2017-01-2604:18:36

117.120.47.x/24 4851(HOSTNETWORKS-AS-AU-AP) no blocked blocked /21

2402:e400:10xx::/40 4851(HOSTNETWORKS-AS-AU-AP) no received received none

132112 2017-01-1903:03:17

117.120.47.x/24 4851(HOSTNETWORKS-AS-AU-AP) no blocked blocked /21

2402:e400:10xx::/40 4851(HOSTNETWORKS-AS-AU-AP) no received received none

127707 2017-01-1201:47:47

117.120.47.x/24 4851(HOSTNETWORKS-AS-AU-AP) no blocked blocked /21

2402:e400:10xx::/40 4851(HOSTNETWORKS-AS-AU-AP) no received received none

123342 2017-01-0500:32:31

117.120.47.x/24 4851(HOSTNETWORKS-AS-AU-AP) no blocked blocked /21

2402:e400:10xx::/40 4851(HOSTNETWORKS-AS-AU-AP) no received received none

Spoofer Results

https://spoofer.caida.org/recent_tests.php?as_include=&country_include=aus&no_block=1

Conclusion

38

MANRSAddsValue

• Strongmotivations forserviceproviders• Significant differentiationforenterprisebuyers

• Identifiablevalueinavaguemarket• Educationisrequiredforenterprise

• Enterpriseswanttoknowmore• Securityinformationhasvalue• Questionsonregulatoryinvolvement…

• Additionalrevenueopportunitiesforproviders• Operationalinformation• Informationsecurityinformationfeeds• Stickyservices

39

Pleasejoinustomakeroutingmoresecure• Gotohttps://www.manrs.org/signup/

• Providerequestedinformation

• PleaseprovideasmuchdetailonhowActionsareimplementedaspossible

• Wemayaskquestionsandaskyoutorunafewtests• Routing“backgroundcheck”

• Spoofer https://www.caida.org/projects/spoofer/

• Youranswerto“Whydidyoudecidetojoin?”maybedisplayedinthetestimonials

• Downloadthelogoanduseit

• BecomeanactiveMANRSparticipant

40

Questions?

• Feelfreetocontactusifyouareinterestedandwanttolearnmore• http://www.routingmanifesto.org/contact/

• Mail:routingmanifesto@isoc.org

• Lookingforwardtoyoursign-ups:• http://www.routingmanifesto.org/signup/

41