No more excuses, Cloudflare says, when it comes to BGP security, with the introduction of a new tool that can hold ISPs to account for their BGP safety measures.
Last week, the cloud services provider said that Border Gateway Protocol (BGP) security issues have been an accepted part of the threat landscape for too long, with data leaks and hijacking a commonplace occurrence.
The BGP protocol is used to facilitate the routing of traffic by Internet Service Providers (ISPs). The system has been in use since the 1980s and has undergone evolution throughout this time, including the introduction of new security measures including TLS, DNSSEC, and projects such as Resource Public Key Infrastructure (RPKI) to try and prevent leaks and hijacking.
However, these attacks still continue at the ISP level. For example, Russia's state-owned telecommunications provider, Rostelecom, is suspected of being a repeat BGP hijacking offender.
Earlier this month, traffic intended for over 200 cloud service providers and content delivery networks (CDNs) -- including Google, Amazon, Akamai, and Cloudflare -- was rerouted through the ISP's servers.
Last year, China Telecom rerouted European traffic through its own servers for two hours, although it is not known if the incident was malicious or due to human error.
BGP hijacking may lead to data compromise as well as Internet outages.
Cloudflare said last week that "its time to make BGP safe," and ISPs have "no more excuses" not to act. To try and hold ISPs to account, the company has launched isBGPSafeYet.com, a website that can be used to check whether or not your ISP is using RPKI, which helps filter out invalid traffic routes.
Two prefixes are used to test RPKI. The test will make your browser attempt to fetch two pages, valid.rpki.cloudflare.com and invalid.rpki.cloudflare.com. The first page is behind an RPKI-valid prefix and the second is behind an RPKI-invalid prefix.
If both pages are fetched without a problem, this indicates the ISP has accepted an invalid route and has not enabled RPKI. Cloudflare says that if valid.rpki.cloudflare.com is the only page that was fetched, your ISP has enabled the security measure and users are "less sensitive to route leaks."
If you test your ISP and find that RPKI is not in place, the webpage provides a tweetable message:
"Unfortunately, my Internet provider (XXX) does NOT implement BGP safely. Check out https://isbgpsafeyet.com to see if your ISP implements BGP in a safe way or if it leaves the Internet vulnerable to malicious route hijacks."
In other words, it is hoped that public pressure may increase the adoption of RPKI by more Internet service providers.
RPKI is not a foolproof standard to prevent BGP hijacking, but the company says that tests indicate that roughly half of all networks employing the tool are less susceptible to route leaks.
"We expect this initiative will make RPKI more accessible to everyone and ultimately will reduce the impact of route leaks," Cloudflare says.
The scripts used by isbgpsafeyet.com have been made available on GitHub.