Oracle on Wednesday announced it's launching a new, free tool in partnership with the Internet Society that aims to make the internet's routing system more secure. Called IXP FilterCheck, the tool can help track and filter malicious traffic at internet exchange points (IXPs).
The tool will be available via the Internet Society's MANRS (Mutually Agreed Norms for Routing Security) initiative.
IXPs are a key part of the internet -- they facilitate the connections between the networks of telecoms, content providers and other major businesses. However, these key juncture points also leave the internet vulnerable to routing mistakes or malicious re-routing, which occur due to abuse of the Border Gateway Protocol (BGP).
BGP is one of the basic mechanisms that makes the internet work -- it circulates information about how to reach ranges of IP addresses. BGP hijacks have become a major problem. Attackers can effectively fool networks into misdirecting internet traffic for the attackers' gain, allowing them to intercept, sniff or modify traffic before sending it to its intended destination.
For instance, in April of last year, attackers used a BGP hijack to reroute traffic meant for a major Amazon Web Services (AWS) service, to pull off a phishing attack against an Ethereum wallet site.
Other times, these incidents are unintentional. Earlier this year, a small ISP in Pennsylvania used the BGP to announce incorrect traffic routes from its network to one of its customers, a company called Allegheny Technologies. That routing information was passed on to Verizon -- and due to Verizon's lack of route filtering, the misinformation resulted in widespread internet outages affecting Cloudflare, Amazon, Facebook and others.
Nearly every month, there is another major story of a disruptive BGP routing incident, Oracle noted. Last year, there were more than 12,000 routing outages or attacks worldwide. The problem could only get worse, given the number of IOT devices expected to come online within the next decade.
IXP FilterCheck can help address this problem by analyzing route filtering at IXPs. The tool continuously analyzes route server behavior across the internet to help IXPs identify areas where they should improve their route filtering, as well as steps they can take to reach compliance with the MANRS IXP requirements.
During its development, IXP FilterCheck identified major filtering misconfigurations at three IXPs, Oracle says, including a month-long filter outage at one of the world's largest IXPs.
As Oracle rolls out this tool, other efforts are underway to make internet routing more secure -- both via IXPs and network operators. The US National Institute for Standards and Technology (NIST) is working on a proposal that could thwart many BGP hijacking events. Meanwhile, researchers at MIT are working on an AI algorithm that could help network operators detect and automatically ignore ISPs with a track record of bad behavior.
Prior and related coverage:
- MIT: We've created AI to detect 'serial internet address hijackers'
- For two hours, a large chunk of European mobile traffic was rerouted through China
- Amazon, Facebook internet outage: Verizon blamed for 'cascading catastrophic failure'
- BGP attacks hijack Telegram traffic in Iran Standard to protect against BGP hijack attacks gets first official draft