Google, Facebook, Microsoft, Netflix and Cloudflare are among the big-name companies that have joined an industry-led initiative to reduce the ability of threat actors to abuse the internet’s global routing system for cyber attacks.
The Internet Society said today that those providers and others have agreed to follow the Mutually Agreed Norms For Routing Security (MANRS) after content delivery networks (CDNs) and cloud providers were allowed to join. Until now MANRS was limited to network operators and internet exchange points.
Briefly, MANRS members agree to shore up the security of routing and signalling so threat actors can’t manipulate the ways traffic is routed and launch threats such as distributed denial of service attacks.
Content and delivery networks and cloud providers don’t exchange packets with other networks, said Andrei Robchevsky, senior director for technology programs at the Internet Society. But, he added, “they connect with a lot of networks on the internet. Everyone wants to peer with a cloud network or a CDN. So the idea is can we leverage their peering power and facilitate some of the improvements in the routing system.
“Big content and cloud providers usually have thousands of networks connecting to them. If they only encourage hygiene and raise awareness of routing security issues among thousands of networks we can’t reach, to actually put filters in place preventing them from emitting incorrect routing information, we expect it will have a big effect.”
MANRS was founded in late 2014 and counts 293 network operators and 48 internet exchange points as members. Canada’s biggest network providers — Bell, Rogers and Telus — have yet to join. U.S. providers who are members include Comcast, a huge cable provider, but not AT&T or Verizon.
Canadian members include the Canarie national university research network, Alberta’s Cybera research network and Quebec’s RISQ network, as well as internet exchange providers TorIX (Toronto), YYCIX (Calgary), YXEIX (Saskatoon), and QIX (Montreal).
In January the World Economic Forum issued a report urging internet service providers to join MANRS.
There are at least 60,000 independent networks that comprise the internet. They exchange what is called reachability information among themselves using the BGP (Border Gateway Protocol) standard. Each network builds its own “map” or routing table of the internet they use to decide where to forward packets. However, the databases of the information held by operators aren’t always accurate. That can cause networks to be hijacked, in addition to service outages.
The Internet Society estimated that in 2017 there were 14,000 routing outages or incidents, including hijacking, leaks, spoofing and large-scale Denial of Service (DoS) attacks.
The MANRS rules encourage members to help prevent the spread of incorrect routing information by filtering announcements in their route servers.
Content delivery networks and cloud providers who sign up agree to follow six actions to improve the resilience and security of the routing infrastructure:
- Prevent propagation of incorrect routing information
- Prevent traffic of illegitimate source IP addresses
- Facilitate global operational communication and co-ordination
- Facilitate validation of routing information on a global scale
- Encourage MANRS adoption
- Provide monitoring and debugging tools to peering partners (optional)