Stories
Slash Boxes
Comments

SoylentNews is people

New Cloudflare Tool Can Tell You If Your ISP Has Deployed BGP Fixes

posted by janrinok on Wednesday April 22 2020, @04:04AM   Printer-friendly
from the it's-an-accident,-honest! dept.

upstart writes in with an IRC submission for AnonymousCoward:

New Cloudflare tool can tell you if your ISP has deployed BGP fixes:

For more than an hour at the beginning of April, major sites like Google and Facebook sputtered for large swaths of people. The culprit wasn't a hack or a bug. It was problems with the internet data routing standard known as the Border Gateway Protocol, which had allowed significant amounts of web traffic to take an unexpected detour through a Russian telecom. For Cloudflare CEO Matthew Prince, it was the last straw.

BGP disruptions happen frequently, generally by accident. But BGP can also be hijacked for large-scale spying, data interception, or as a sort of denial of service attack. Just last week, United States Executive Branch agencies moved to block China Telecom from offering services in the US, because of allegedly malicious activity that includes BGP attacks. Companies like Cloudflare sit on the front lines of the BGP blowback. And while the company can't fix the problem directly, it can call out those that are slow to contribute defenses.

On Friday, the company launched Is BGP Safe Yet​, a site that makes it easier for anyone to check whether their internet service provider has added the security protections and filters that can make BGP more stable. Those improvements are most effective with wide adoption from ISPs, content delivery networks like Cloudflare, and other cloud providers. Cloudflare estimates that so far about half of the internet is more protected thanks to heavy hitters like AT&T, the Swedish telecom Telia, and the Japanese telecom NTT adopting BGP improvements. And while Cloudflare says it doesn't seem like the Rostelecom incident was intentional or malicious, Russian telecoms do have a history of suspicious BGP meddling, and similar problems will keep cropping up until the whole industry is on board.​

[...] "BGP is a 40-plus-year-old protocol, it's a miracle the internet has worked on what is really just a trust-based system for as long as it has," Prince says. "Obviously it makes sense to have more verification, because anything else is madness. And yet! It's taken a long time to actually get that implemented. Hopefully we can put a little bit of public pressure on."

Original Submission

 
This discussion has been archived. No new comments can be posted.
New Cloudflare Tool Can Tell You If Your ISP Has Deployed BGP Fixes | Log In/Create an Account | Top | 7 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Informative) by Anonymous Coward on Wednesday April 22 2020, @05:44AM (1 child)

    by Anonymous Coward on Wednesday April 22 2020, @05:44AM (#985685)

    Here is a more balanced story about the issues involved and specifically mentions the dangers of popularizing technical discussions like this: https://www.aa.net.uk/etc/news/bgp-and-rpki/ [aa.net.uk]

    Starting Score:    0  points
    Moderation   +5  
       Insightful=1, Interesting=1, Informative=3, Total=5
    Extra 'Informative' Modifier   0  
    Total Score:   5  

  • (Score: 5, Interesting) by zocalo on Wednesday April 22 2020, @08:47AM

    by zocalo (302) on Wednesday April 22 2020, @08:47AM (#985701)
    +1 - Very important to get the other side of the argument here since there are multiple solutions to the issues surrounding BGP, and Cloudflare's tool is only really tackling one of them. Just because a given ISP fails Cloudflare's test doesn't necessarily mean that they are not securely handling BGP, and I think it's rather disengenious of Cloudflare to fail to make that point, when they make is so easy to advertise the "failure". Especially so, since many ISPs are now getting flack from their customers and the media - most of whom have no idea what BGP even is, let alone how it works or what is required to secure it - that now incorrectly believe they are insecure because of Cloudflare's tool.

    Besides, it's hardly a secret in the ISP routing world that a major problem here is actually policy, specifically a requirement to accept ARIN's Trust Anchor Locator (TAL), which many ISPs, especially those outside the ARIN region, will not or cannot accept. Ever wondered why most BGP hijacks are of data from US ISPs? There's a major reason. That said, despite ALL major BGP router vendors having config templates for securing BGP routing tables, containing fat-finger errors, and filtering bogus routes readily available, there's still a depressingly large number of ISPs around the world that have yet to implement them.
    --
    UNIX? They're not even circumcised! Savages!