Cloud Hosting

Getty

Last June, there was a media frenzy following a massive rerouting of European internet traffic through state-owned China Telecom. Earlier this month, hundreds of content delivery networks, servicing the likes of Facebook, Google and Amazon, were redirected through state-owned Rostelecom in Russia. Welcome to the world of BGP leaks or, worse, BGP hijacks, get ready to join the call for better security.

The Border Gateway Protocol, BGP, is the postal service of the internet. Just like FedEx or DHL, the internet needs a system to find efficient routes from A to B, hopping from point to point across the autonomous systems that span the globe.

BGP mistakes are common. But when they result in our traffic routing through state-owned systems in China and Russia we should take note. Most mistakes last secondsbut the China Telecom incident persisted for two hoursand two hours is a long time for a routing leak of this magnitude to stay in circulation, degrading global communications, warned Oracles head of internet analysis.

The U.S. government now wants China Telecom banned from providing services in the U.S., citing substantial and unacceptable national security and law enforcement risks associated with China Telecoms operations.

The dangers of hijacked internet traffic have diminished with encryption. But if data flows through a state actors systems, it can be sucked into storage, analyzed for weaknesses, even attacked later with new tools and techniques. The fact that Russia and China seem more at fault than others might just be a coincidence. Or it might be that theyre exactly where you dont want your traffic taking a detour.

Thankfully, there are measures that can now put an end to this riskbut only if everyone plays along. The internet is too vital to allow this known problem to continue any longer, Cloudflare, the web infrastructure and CDN player, warned in a blogpost on Friday (April 17). It's time to make BGP safe. No more excuses.

Cloudflare advocates the widespread adoption of RPKI, Resource Public Key Infrastructure, which has been around for some time but seems slow to catch on. Hundreds of networks of all sizes have done a tremendous job over the last few years, but there is still work to be done. If we observe the customer-cones of the networks that have deployed RPKI, we see around 50% of the Internet is more protected against route leaks. That's great, but it's nothing like enough.

And so the company has launched a new serviceis BGP safe yetwhich enables internet users to test whether their internet service providers are secure, and if not to publicize the fact. Clearly were in fairly niche territory here, we wont see millions pick this up, but a few high-profile tweets and media reports might focus minds and prompt more ISPs into action.

The twist with BGP errors is that its tricky to differentiate malicious attacks from dumb mistakes. On the malicious side, though, the lack of security tempts state actors to present false information to the internet, tricking traffic into heading its way. A BGP hijack, Cloudflare explains, occurs when a malicious node deceives another node, lying about what the routes are for its neighbors.

The distributed nature of the internet means such false information can propagate from node to node, until a large number of nodes now know about, and attempt to use these incorrect, nonexistent, or malicious routes.

BGP Hijack

RPKI is a crypto-based validation tool which means nodes don't have to rely on what theyre being told by others, potentially malicious, nodes. They can verify that what theyre being told is true and bypass nodes when thats not the case. RPKI allows the network to protect itself by invalidating the malicious routes.

BGP made safe

As with data and DNS encryption, tracking bans and internet security more broadly, this is important. The internet evolved over decades as a fragmented, unplanned group-think. We are now applying bandages to the obvious weaknesses and attempting surge for the more glaring problems. In the meantime, it wont hurt for you to test your ISP and nudge them in the right direction while stuck at home.

Read more here:
Russia And China Hijack Your Internet Traffic: Heres What You Do - Forbes