You Can Now Check If Your ISP Uses Basic Security Measures (wired.com) 28
"Is BGP Safe Yet" is a new site that names and shames internet service providers that don't tend to their routing. From a report: For more than an hour at the beginning of April, major sites like Google and Facebook sputtered for large swaths of people. The culprit wasn't a hack or a bug. It was problems with the internet data routing standard known as the Border Gateway Protocol, which had allowed significant amounts of web traffic to take an unexpected detour through a Russian telecom. For Cloudflare CEO Matthew Prince, it was the last straw. BGP disruptions happen frequently, generally by accident. But BGP can also be hijacked for large-scale spying, data interception, or as a sort of denial of service attack.
[...] On Friday, the company launched Is BGP Safe Yetâ, a site that makes it easier for anyone to check whether their internet service provider has added the security protections and filters that can make BGP more stable. Those improvements are most effective with wide adoption from ISPs, content delivery networks like Cloudflare, and other cloud providers. Cloudflare estimates that so far about half of the internet is more protected thanks to heavy hitters like AT&T, the Swedish telecom Telia, and the Japanese telecom NTT adopting BGP improvements. And while Cloudflare says it doesn't seem like the Rostelecom incident was intentional or malicious, Russian telecoms do have a history of suspicious BGP meddling, and similar problems will keep cropping up until the whole industry is on board.
[...] On Friday, the company launched Is BGP Safe Yetâ, a site that makes it easier for anyone to check whether their internet service provider has added the security protections and filters that can make BGP more stable. Those improvements are most effective with wide adoption from ISPs, content delivery networks like Cloudflare, and other cloud providers. Cloudflare estimates that so far about half of the internet is more protected thanks to heavy hitters like AT&T, the Swedish telecom Telia, and the Japanese telecom NTT adopting BGP improvements. And while Cloudflare says it doesn't seem like the Rostelecom incident was intentional or malicious, Russian telecoms do have a history of suspicious BGP meddling, and similar problems will keep cropping up until the whole industry is on board.
If ISPs could be shamed... (Score:5, Funny)
Re: (Score:2)
I'm shocked — shocked — that Comcast sucks... the same Comcast whose performance on my 50/10 cable service degraded to 1/10 before I finally gave up and unplugged my cable modem and plugged it back in, and immediately afterwards, gave me 100/50.
If this is "business class" service, I'd hate to see what sort of crap the plebs put up with.
Recommendations? (Score:2)
What company provides the best web site hosting?
Re: (Score:2)
What ISP do you recommend?
Based on what? Because the article in question is talking about BGP security a topic that 99% of people reply with "huh", and the other 1% reply with "meh".
Re: (Score:1)
Not all ISPs think this is a good thing.. (Score:5, Interesting)
x-post from a comment on Ars Technica: https://www.aa.net.uk/etc/news... [aa.net.uk]
I am not an expert on BGP, but the response from Arnold&Arnold, linked above, appears to make some good points.
Re:Not all ISPs think this is a good thing.. (Score:4, Interesting)
It is a response with some legitimate concerns, but it basically boils down to this: we don't trust SSL certificates because a court could still order xyz to shut down a route giving a false sense of security. While that is true, it is better than nothing. You also don't HAVE to trust blindly because certificates are in place, you could come up with a PKI for self-signed certificate systems where you explicitly trust a particular provider or even have levels of trust. If an order goes in place, it is possible that with obligatory certificates, you end up shutting out an entire country until the law or order gets revoked but that is kind of what you want - a MAD situation so nobody dares to order a legal redirect since you end up instantly revoking all your own Internet access.
In short, many providers won't change because it costs money (a ton of money as a lot of high-end switches are custom programmed and hardwired) really hard to interfere with BGP, you almost need root or physical access to the routers, at which point it's game over, regardless of the system you use. Cloudflare wants you to use it because they're new and hip and they support it, so pay them to make sure your traffic won't be blackholed.
Re: (Score:2)
While that is true, it is better than nothing.
But is it? I think if the past examples are anything to go by then BGP hijacks don't go unnoticed and don't stay in affect very long. At that point wouldn't a false sense of security be worse than no security?
I mean we don't hear of this much. The internet is a sick place, and companies pull a lot of stops to prevent the spread of malware and fraud, hell daily we hear a topic about COVID-19 spam emails and fraud, even on the Slashdot front page. But the only cases we hear of something going wrong with BGP r
Re: (Score:3)
But is it? I think if the past examples are anything to go by then BGP hijacks don't go unnoticed and don't stay in affect very long. At that point wouldn't a false sense of security be worse than no security?
ACCIDENTAL route leaks don't stay unnoticed long. Intentional hijacks can be quite sneaky and hard to detect.
Re: (Score:2)
Better monitoring systems would help, it also does help to know if a particular BGP route is advertised but not signed or mutually trusted. You could also internally divide signing power between multiple employees, so if one makes a mistake, 2 or 3 have to sign off on it.
Re: (Score:2)
Re: (Score:3)
It's worse than that. Firstly, RPKI has been around for years but has never taken off because it's PKI. If it was going to work, it would have worked by now.
Secondly, the blacklisting concerns are legitimate, and one of the reasons why many countries haven't signed up to RPKI, it's the ultimate cryptographically enforced censorship mechanism. If some government, or more likely some commercial interest like the MAFIAA or or IFPI or BVMI or whatever decide you shouldn't exist, RPKI will enforce that.
So RP
Re: Not all ISPs think this is a good thing.. (Score:2)
"Continuing to blame Google when an ISP allows that ISPs traffic destined towards Google to be hijacked to Russia does not sound like a good idea to me.
Why blame Google for something out of their control? Only an ISP can control their own network, and when the ISP allows any random actor on the Internet to redirect it, this is clearly and completely the fault of the ISP."
But, can we blame Google for being on the "unsafe ISP" list (since they are)?
"basic" security measures? (Score:3)
There's nothing "basic" about RPKI.
Is it useful? Yes. Is it more secure than not using it? Yes.
Is it easy to deploy? No.
Is it basic? There's nothing about it that is basic.
Re: (Score:2)
"Basic" measures would be filtering using prefix-lists derived from IRR data. ...and far too many ASs don't even implement that.
Re: (Score:2)
Took me about an hour to deploy. It can in fact be very easy but does require that your router has support of course.
Charter FAILS (Score:2)
What to shame about (Score:2)
Unicode shame website? (Score:2)
Is BGP Safe YetÃ
Shaw Cablesystems from western Canada (Score:2)
Your ISP (Shaw Cablesystems, AS6327) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.
fetch https://valid.rpki.cloudflare.... [cloudflare.com]
correctly accepted valid prefixes
fetch https://invalid.rpki.cloudflar... [cloudflare.com]
incorrectly accepted invalid prefixes
Now if someone else can post Telus from western Canada, that would be very interesting.
Does it matter if my VPN fails this test? (Score:1)