Let us build a data safehouse

DR. Thomas King, CTO, DE-CIX.

As enterprises exchange more and more data along their digital value chains, they need to take a closer look at how to protect their connections to trusted partners and their digital resources in the cloud. As Internet infrastructure operators, an Internet Exchange (IX) is tasked with ensuring that they provide a service that customers are happy to trust. Although operating Internet Exchanges is a B2B business activity, in the end, what is important is the trust of the end-users sitting in front of their laptop or cell phone.

For Internet infrastructure operators, it is vital to strengthen and maintain trust in the worldwide web. For an IX, continual research and development, security audits and certifications, and developing and maintaining best practices are as central to the process of ensuring network security as the provision of additional security services to shield against wilful and accidental damages.

Increasingly, we see that interconnection customers today look at the kind of on-top security features an IX provides and how the interconnection platform is operated. They want to see evidence that operations follow specific criteria and best practices and know that an IX works securely and reliably.

Enterprises are used to vetting their business partners on security and policy-related topics. Large enterprises rely heavily on their infrastructure partners to provide services and ensure low levels of risk for their operations. Some of the largest customers connect at one IX location and other locations globally, using the same operator, wherever possible.

A DDoS attack on your webserver will mean that your webshop is no longer accessible to your customer. This also means that your customers will go elsewhere to shop.

Regardless of the network, all have a basic need for routing security, like being effectively shielded from IP hijacks through Resource Public Key Infrastructure (RPKI). Protection against DDoS attacks is different because not all networks are exciting targets for attackers. Customers who run or host game servers for their end-users, for example, usually feel the brunt of a lot of DDoS. This group of customers use blackholing heavily and can benefit from recent innovations and advances in blackholing service provision.

At the same time, enterprises tend to have a greater interest in security services because their operations and products often exist in real-world spaces. Take car manufacturers: digital automotive services are becoming more critical. They need to ensure that the cars do not become inoperable or defective due to an attack or a misconfiguration.

Let us explore what organisations can do to shield their networks from vulnerabilities over an IX.

DDoS attacks: Probably the best-known attack type that can be mitigated at an IX is the volumetric DDoS attack. A DDoS attack aims to stop a certain destination from communicating with the Internet. For instance, you have a webshop hosted on a web server, and your competitor hates your shop because you are more successful. A DDoS attack on your webserver will mean that your webshop is no longer accessible to your customer. This also means that all your customers will go elsewhere to shop, most likely to your competitor.

In DDoS, amplification attacks have been powerful in the last couple of years, and a new emerging threat is ransom DDoS. However, despite increasing growth in the number of attacks and the volume of attacks, DDoS attacks are currently not developing as aggressively as they have done previously. There has been a lot of work done to fix new vulnerabilities as they emerge. The free and open availability of DDoS mitigation services from network security companies has also helped solve the issue. Do not get me wrong, though: we still see these attacks daily.

Digital automotive services need to ensure that their cars do not become inoperable or defective due to an attack or a misconfiguration.

So, how do we mitigate DDoS? We used to use standard blackholing. If you have blackholing, you can protect an IP address so that you stop traffic being sent to it while it is under attack. The good thing is that there is no collateral damage for the networks in the firing line. But the disadvantage is that the destination still cannot communicate, meaning that, through the mitigation measure, the attacker has ultimately achieved the original objective.

The key to the Advanced Blackholing services is to limit the data sent to an IP address and limit it to specific TCP and UDP protocols. Because if you talk about amplification attacks, we can look at which TCP/UDP source and destination ports specifically need to be blocked. We block this particular port, and all the other ports are still accessible, meaning that the network can still communicate.

The new technology also ensures that blackholing is no longer simply a binary switch between “data is flowing” or “no data is flowing”. It can now limit how much traffic is going to the destination, like rate-limiting – rather than hundreds of gigabytes of traffic, and reduce it to just 10, 15 or 20 Mbits so that the destination is not entirely overwhelmed. The destination can still handle the load coming in; they can sort out the garbage and allow legitimate requests to get in and be answered. Communication and service are thus still possible.

IP Hijacking: Another risk to networks on the Internet is routing insecurity through IP hijacking. As a malicious actor, let us say you want to wiretap the traffic that goes to an IP destination somewhere on the Internet because you want to steal the credit card details of the shop’s customers.

You can start announcing the IP space of the webshop, and if you do it right, you can receive all the requests which go to the webshop. You can either drop the traffic so that the orders from the customers do not get answered, or you can pass it on to the webshop, having gleaned the information you wanted. This kind of IP hijacking can occur either by accident or on purpose.

The Internet Society MANRS project found that from the year 2019 to 2020, there was, in fact, close to a 40% increase in IP hijacking incidents.

There have been incidents where people have presumably done it on purpose – rerouting traffic from a bank, for instance, or from the Bitcoin blockchain. But other incidents have certainly been accidental. YouTube was taken offline by Pakistan Telecom in 2008 because someone misconfigured something. They completely overloaded the network because Pakistan Telecom’s network was not big enough to handle all the queries going to YouTube.

With the increased number of networks and amount of IP space connected to the Internet, the increasing dependency of society on digital infrastructure, and also the value of the data being shared, it stands to reason that we can expect IP hijacking, whether malicious or unintended, to be growing. There are more players on the field. The Internet Society MANRS project found that, from the year 2019 to 2020, there was, in fact, close to a 40% increase in IP hijacking incidents, which is undoubtedly worrying.

Technologies like RPKI Origin Validation and IRR filtering can mitigate the problem. The function of RPKI is origin validation because it makes sure that it is not so easy to accidentally announce the wrong IP space through a typing mistake or similar. It makes it possible to check whether you can tell this IP space, and if not, we can filter out the announcement very easily. On the other hand, Internet routing registration (IRR) filtering is used to prevent the propagation of incorrect routing information. This filtering is already deployed in the Internet infrastructure for years, whereas RPKI Origin Validation has only become available recently.

Added to this, the forthcoming BGPSec is an ongoing standardisation activity at the IETF. If you were to have origin validation based on RPKI and BGPSec, which also uses part of the cryptographic building blocks of RPKI, you would have complete safety against hijacks. However, BGPSec is still in standardisation, and unfortunately, it has one major drawback: It is very resource intensive on the Internet routers. Besides, it is still at least a couple of years away from deployment, if ever. So it is certainly not a short-term fix.

ASN hijacking: Every network that wants to be part of the Internet needs an Autonomous System Number (ASN). By hijacking someone’s ASN, you can pretend to be somebody else. This can be used maliciously, mainly for sending unwanted stuff like spam and carrying out DDoS attacks. We have seen ASN hijacking, in particular with companies that have registered an ASN but, for whatever reason, are currently not announcing it to the Internet.

It is tough to ascertain who is behind the number, the legitimate owner or a malicious actor. It looks as if the legitimate owner is misbehaving, resulting in them being blocklisted or experiencing far worse reputation problems. Therefore, I encourage companies to keep an eye on their AS number, even if they are currently not using it.

 

HOW TO OPTIMISE NETWORK COMMUNICATION?

From a different angle, although it is not new, bidirectional forwarding detection (BFD) has for some reason not yet become well-established. This is a shame because it is very interesting for optimising network communication. If two networks or pieces of infrastructure have a link and want to ensure that data is flowing in both directions, there is the so-called BFD protocol.

Without BFD, it takes a couple of minutes to detect an issue with a link, and in the meantime, data you thought you were exchanging is being dropped on the floor, so communication is not happening. With BFD, an issue can be detected in seconds or even milliseconds, so the parties can stop sending data over the broken link and take an alternative route. Networks would be well advised to use BFD to quickly any issue and automatically reroute traffic easily.


KEY TAKEAWAYS

  • The goal of a DDoS attack is to stop a certain destination from communicating with the Internet.
  • Blackholing Advanced services ensures that it is no longer a binary switch between “data is flowing” or “no data is flowing”. It can now limit how much traffic is going to the destination.
  • Technologies like Resource Public Key Infrastructure (RPKI) Origin Validation and IRR filtering can mitigate the IP Hijacking
  • By hijacking someone’s Autonomous System Number (ASN), one can pretend to be somebody else. Hence, companies must keep an eye on their ASN, even if they are not using it.

As data across the enterprise value chain increases, IX platforms have a bigger role in shielding networks from malicious and accidental security incidents.

DR. Thomas King, CTO, DE-CIX.
DR. Thomas King, CTO, DE-CIX.