New Cloudflare tool can tell you if your ISP has deployed BGP fixes:
For more than an hour at the beginning of April, major sites like Google and Facebook sputtered for large swaths of people. The culprit wasn't a hack or a bug. It was problems with the internet data routing standard known as the Border Gateway Protocol, which had allowed significant amounts of web traffic to take an unexpected detour through a Russian telecom. For Cloudflare CEO Matthew Prince, it was the last straw.
BGP disruptions happen frequently, generally by accident. But BGP can also be hijacked for large-scale spying, data interception, or as a sort of denial of service attack. Just last week, United States Executive Branch agencies moved to block China Telecom from offering services in the US, because of allegedly malicious activity that includes BGP attacks. Companies like Cloudflare sit on the front lines of the BGP blowback. And while the company can't fix the problem directly, it can call out those that are slow to contribute defenses.
On Friday, the company launched Is BGP Safe Yet, a site that makes it easier for anyone to check whether their internet service provider has added the security protections and filters that can make BGP more stable. Those improvements are most effective with wide adoption from ISPs, content delivery networks like Cloudflare, and other cloud providers. Cloudflare estimates that so far about half of the internet is more protected thanks to heavy hitters like AT&T, the Swedish telecom Telia, and the Japanese telecom NTT adopting BGP improvements. And while Cloudflare says it doesn't seem like the Rostelecom incident was intentional or malicious, Russian telecoms do have a history of suspicious BGP meddling, and similar problems will keep cropping up until the whole industry is on board.
[...] "BGP is a 40-plus-year-old protocol, it's a miracle the internet has worked on what is really just a trust-based system for as long as it has," Prince says. "Obviously it makes sense to have more verification, because anything else is madness. And yet! It's taken a long time to actually get that implemented. Hopefully we can put a little bit of public pressure on."
(Score: 5, Informative) by Anonymous Coward on Wednesday April 22 2020, @05:44AM (1 child)
Here is a more balanced story about the issues involved and specifically mentions the dangers of popularizing technical discussions like this: https://www.aa.net.uk/etc/news/bgp-and-rpki/ [aa.net.uk]
(Score: 5, Interesting) by zocalo on Wednesday April 22 2020, @08:47AM
Besides, it's hardly a secret in the ISP routing world that a major problem here is actually policy, specifically a requirement to accept ARIN's Trust Anchor Locator (TAL), which many ISPs, especially those outside the ARIN region, will not or cannot accept. Ever wondered why most BGP hijacks are of data from US ISPs? There's a major reason. That said, despite ALL major BGP router vendors having config templates for securing BGP routing tables, containing fat-finger errors, and filtering bogus routes readily available, there's still a depressingly large number of ISPs around the world that have yet to implement them.
UNIX? They're not even circumcised! Savages!