You Can Now Check If Your ISP Uses Basic Security Measures

"Is BGP Safe Yet" is a new site that names and shames internet service providers that don't tend to their routing. From a report: For more than an hour at the beginning of April, major sites like Google and Facebook sputtered for large swaths of people. The culprit wasn't a hack or a bug. It was problems with the internet data routing standard known as the Border Gateway Protocol, which had allowed significant amounts of web traffic to take an unexpected detour through a Russian telecom. For Cloudflare CEO Matthew Prince, it was the last straw. BGP disruptions happen frequently, generally by accident. But BGP can also be hijacked for large-scale spying, data interception, or as a sort of denial of service attack.

[...] On Friday, the company launched Is BGP Safe Yetâ, a site that makes it easier for anyone to check whether their internet service provider has added the security protections and filters that can make BGP more stable. Those improvements are most effective with wide adoption from ISPs, content delivery networks like Cloudflare, and other cloud providers. Cloudflare estimates that so far about half of the internet is more protected thanks to heavy hitters like AT&T, the Swedish telecom Telia, and the Japanese telecom NTT adopting BGP improvements. And while Cloudflare says it doesn't seem like the Rostelecom incident was intentional or malicious, Russian telecoms do have a history of suspicious BGP meddling, and similar problems will keep cropping up until the whole industry is on board.

If ISPs could be shamed...

[mlw4428]

Comcast wouldn't exist.

Re:

[dgatwood]

I'm shocked — shocked — that Comcast sucks... the same Comcast whose performance on my 50/10 cable service degraded to 1/10 before I finally gave up and unplugged my cable modem and plugged it back in, and immediately afterwards, gave me 100/50.

If this is "business class" service, I'd hate to see what sort of crap the plebs put up with.

Recommendations?

[Futurepower(R)]

What ISP do you recommend?

What company provides the best web site hosting?

Re:

[thegarbz]

What ISP do you recommend?

Based on what? Because the article in question is talking about BGP security a topic that 99% of people reply with "huh", and the other 1% reply with "meh".

Re:

[bn-7bc]

Well my reaction was , poor Comcast costumers , and it seams like rpgi is slowly rolling out arround the worl , finally, what took isps so long?

Not all ISPs think this is a good thing..

[blahblahwoofwoof]

x-post from a comment on Ars Technica: https://www.aa.net.uk/etc/news... [aa.net.uk]

I am not an expert on BGP, but the response from Arnold&Arnold, linked above, appears to make some good points.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[thegarbz]

While that is true, it is better than nothing.

But is it? I think if the past examples are anything to go by then BGP hijacks don't go unnoticed and don't stay in affect very long. At that point wouldn't a false sense of security be worse than no security?

I mean we don't hear of this much. The internet is a sick place, and companies pull a lot of stops to prevent the spread of malware and fraud, hell daily we hear a topic about COVID-19 spam emails and fraud, even on the Slashdot front page. But the only cases we hear of something going wrong with BGP r

Re:

[Cyberax]

But is it? I think if the past examples are anything to go by then BGP hijacks don't go unnoticed and don't stay in affect very long. At that point wouldn't a false sense of security be worse than no security?

ACCIDENTAL route leaks don't stay unnoticed long. Intentional hijacks can be quite sneaky and hard to detect.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[arglebargle_xiv]

I think I'll set up my own alternative site, isbgpsafeyet.org or something. When you go there it'll be a single static page that displays a big "No" in a 72-point font. Conveys all the information you need on BGP without the effort of setting up a full site.

Re:

[arglebargle_xiv]

It's worse than that. Firstly, RPKI has been around for years but has never taken off because it's PKI. If it was going to work, it would have worked by now.

Secondly, the blacklisting concerns are legitimate, and one of the reasons why many countries haven't signed up to RPKI, it's the ultimate cryptographically enforced censorship mechanism. If some government, or more likely some commercial interest like the MAFIAA or or IFPI or BVMI or whatever decide you shouldn't exist, RPKI will enforce that.

So RP

Re: Not all ISPs think this is a good thing..

[buchanmilne]

"Continuing to blame Google when an ISP allows that ISPs traffic destined towards Google to be hijacked to Russia does not sound like a good idea to me.
Why blame Google for something out of their control? Only an ISP can control their own network, and when the ISP allows any random actor on the Internet to redirect it, this is clearly and completely the fault of the ISP."

But, can we blame Google for being on the "unsafe ISP" list (since they are)?

"basic" security measures?

[dills]

There's nothing "basic" about RPKI.

Is it useful? Yes. Is it more secure than not using it? Yes.

Is it easy to deploy? No.

Is it basic? There's nothing about it that is basic.

Re:

[LilBlackKittie]

"Basic" measures would be filtering using prefix-lists derived from IRR data. ...and far too many ASs don't even implement that.

Re:

[bbn]

Took me about an hour to deploy. It can in fact be very easy but does require that your router has support of course.

Charter FAILS

[AndyKron]

Failure!

What to shame about

[r2kordmaa]

I would rather shame my ISP about lack of IPv6, but eh, I'll take what I can.

Unicode shame website?

[ChoGGi]

Is BGP Safe YetÃ

Shaw Cablesystems from western Canada

[epine]

Your ISP (Shaw Cablesystems, AS6327) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.

fetch https://valid.rpki.cloudflare.... [cloudflare.com]
correctly accepted valid prefixes

fetch https://invalid.rpki.cloudflar... [cloudflare.com]
incorrectly accepted invalid prefixes

Now if someone else can post Telus from western Canada, that would be very interesting.

Does it matter if my VPN fails this test?

[landofcleve]

And what does RPKI implementation do to internet anonymity?