Cloud Providers, CDNs Team Up to Battle Internet Routing Attacks

cdns netflix internet routing attacks

A group of CDNs and cloud providers are joining in on a fight against common internet routing attacks.

A group of tech giants – including Akamai, Amazon Web Services, Cloudflare, Facebook, Google, Microsoft and Netflix – are banding together to battle route hijacking, route leaks and IP address-spoofing attacks targeting internet users.

They’re coming together under a program was introduced this week by the Mutually Agreed Norms for Routing Security (MANRS) global initiative. MANRS over the past six years has worked to build up a team of 300 network operators, internet exchange points (IXPs) and other companies to provide “crucial fixes to reduce the most common routing threats.”

MANRS’ latest program brings in content delivery networks (CDNs), like Akamai and Cloudflare, which are geographically distributed groups of servers that provide quick delivery of internet content worldwide. Also included are cloud providers like Microsoft and AWS, which offer network services, infrastructure or cloud-based applications via the internet or private interconnections. Members in the program are tasked with taking specific steps to improve the resilience and security of the routing infrastructure.

The internet routing process is complex; exchanged traffic for instance runs on Border Gateway Protocol (BGP), a protocol that joins different networks together to build a “roadmap” of the internet. BGP however does not have built-in validation mechanisms, which can expose businesses to attacks such as route hijackingroute injection attacks, IP address spoofing and more, which allow attackers to snoop in on victim traffic.

“It is only through collective action and a shared sense of responsibility that we can address problems like BGP leaks, hijacks, [distributed denial-of-service] (DDoS) attacks and IP address-spoofing that have real-world consequences for millions of people,” according to MANRS in a post this week. “We must work together to build a more resilient and secure internet infrastructure.”

The initiative comes as the level of online traffic is expected to rapidly spike, as more people use online tools to communicate while they socially isolate themselves during the coronavirus pandemic. Over half of all online traffic today is being served through CDNs, making their participation in the initiative paramount.

“While CDN and cloud are basically edge networks, their impact on routing security can be significant. Several known incidents showed that an edge network, even a small one, can cause havoc on the internet by leaking routes,” according to MANRS.

The new program asks CDN and cloud provider members to take five security steps:

  • Prevent propagation of incorrect routing information, which can be done by defining a clear network routing policy
  • Prevent traffic of illegitimate source IP addresses, by implementing anti-spoofing controls to prevent packets with illegitimate source IP address from leaving the network
  • Facilitate global operational communication and coordination, by maintaining globally accessible up-to-date contact information in PeeringDB (a freely available web-based database of networks that are interested in peering) and relevant databases
  • Facilitate validation of routing information on a global scale, by publicly documenting prefixes that are intended to be advertised to external parties
  • Encouraging adoption “good practices on routing security” encouraged by MANRS

“MANRS helps by requiring egress routing controls, so networks can prevent such incidents from happening,” according to the organization. “Secondly, leveraging CDNs’ and cloud providers’ peering power can have significant positive spillover effect on the routing hygiene of networks they peer with. In other words, if CDNs and cloud providers do their part to improve routing security and demand better practices from their customers, their customers will in turn step up their efforts, and together the internet will be better and safer for all of us.”

Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.

Suggested articles