Adding a New Layer of Security to the Global Internet
As internet traffic continues to surge, Adam Davenport, director of interconnection strategy at GTT, explores the steps that must be taken to better protect consumers and businesses against route leaks and hijacks.
Throughout the COVID-19 pandemic, more and more people have relied on the internet to stay connected while keeping their distance. As a result, internet traffic has surged by around 30% since March. Putting that into context, it’s a volume of growth we’d typically expect for an entire year.
Managing this explosion in traffic and transporting it throughout the world without compromising delivery speeds or the user experience is a big challenge. It’s a challenge that Tier 1 operators like GTT — which make up the core of the world’s internet — take on every day. However, another issue that is equally as important but is talked about less often is the challenge to ensure the internet is equipped with more robust security measures for the websites and cloud applications so many of us rely on every day.
The threats to web traffic
Internet traffic “hops” from point to point across the autonomous systems that span the globe. IP addresses, similar to real-life addresses, are used to identify the thing that you’re connecting to it. This could be the router in your home, a blog site or your favorite online retailer. Traditionally, the routes a network is able announce to the global Internet are protected by filters that are applied by their upstream providers. These filters are generated from entries in the Internet Routing Registry (IRR), a database of registered internet routes. However, because anyone can create a registry entry for absolutely anything without any sort of verification or validation, the system is open to abuse.
This lack of validation means that bad actors can create IRR entries for IP space that they are not authorized to use, leading to route leaks and hijacks. For instance, a bad actor wanting to intercept online credit card or cryptocurrency transactions could, in theory, register the IP prefixes of the intended target into IRR and then announce those IP blocks to their upstream providers, who accept them without any additional authorization or validation. This scenario would allow that bad actor to hijack all traffic destined to the IP address space of the legitimate owner for as long as the announcement was active. Additionally, unintended configuration issues can occur. It’s possible for a network operator to make a typo in an IP block when creating an IRR entry and accompanying network announcement. When this occurs and is accepted and propagated by upstream providers, it can render the legitimate operator and sites associated with the IP space in question completely inoperable until the error is identified and corrected.
Securing global internet routing systems
With more people than ever reliant on the internet, developing new ways to better protect both consumers and businesses is essential. One such initiative is the implementation of a new verification system for IP addresses, called Resource Public Key Infrastructure (RPKI), that lets people and organizations who own one or more IP addresses officially register the address space as theirs and theirs alone. It has the added benefit of requiring that anyone registering an IP address block be properly authorized by one of the five Regional Internet Registries (RIRs), the organizations that manage and assign IP addresses.
Having an official register of who owns which IP addresses provides an additional validation check, making it much harder for criminals to imitate, or “spoof,” those addresses and redirect the traffic to a fake look-alike site. Having this level of validation allows network operators to explicitly reject any IP announcement that is invalid in RPKI from their external neighbors.
Making the internet safer and more reliable is an ongoing mission for all IP network providers who ensure the huge volume of traffic on the internet can travel securely around the globe. GTT is one of the first large-scale global Tier 1 providers to deploy RPKI-based route validation across its entire global internet backbone. So if a client’s IP route is covered by an RPKI Route Origin Authorization (ROA) record, that client can be assured that their internet traffic is fully secure throughout GTT’s entire global network footprint.
Taking the next step
The availability of RPKI is an important milestone on the path to creating a safer internet. All businesses that own IP addresses can now take the next step to secure their services by becoming properly authorized at the RIR level in order to create an RPKI ROA record. However, organizations will still need to carry out due diligence checks. If they adopt an online hosted service from someone who owns IP address spaces, such as a blog or website service, then they need to ensure this service registers their address space with the appropriate system to help make the user experience more secure.
As the world’s population becomes more and more reliant on the internet, network operators are responding collectively to the challenge of making the internet safer and more reliable, but there is still a long way to go. Implementing RPKI is an important step in the right direction and will help add an extra layer of protection and security to our ever-increasing digital world.