Work that started last October on securing the protocol that binds the Internet together is finally yielding results.
This week, a department called the National Cybersecurity Center of Excellence (NCCoE) at the US National Institute for Standards and Technology (NIST) published the first draft of a security standard that will secure the Border Gateway Protocol (BGP).
BGP is the primary protocol that internet service providers (ISPs), hosting providers, cloud providers, educational, research, and national networks use to send traffic between each other's networks, linking together the small networks that make up the bigger Internet.
The BGP protocol was designed in the 1980s, and the last major revision to the protocol was made in 1995, long before security became an issue for internet traffic.
Since then, bad actors have been abusing the BGP protocol to trick smaller networks into sending chunks of traffic meant for other networks to the wrong place, allowing the bad actors to intercept, sniff, or modify traffic before sending it to its intended destination.
Such attacks are commonly referred to as BGP hijacks, and in recent years, they have become a serious problem, being at the heart of several major security incidents.
Also: Best Home Security Devices for 2018 CNET
For example, at the end of July, this year, Telegram traffic from around the world took a detour through Iran, all thanks to a BGP hijack.
In April, attackers used a BGP hijack to reroute traffic meant for a major Amazon Web Services (AWS) service, just so they could pull off a mundane phishing attack against an Ethereum wallet site.
In December 2017, a Russian ISP provider BGP-hijacked web traffic meant for big-name sites belonging to Google, Facebook, Apple, and Microsoft. This came after another Russian ISP previously BGP-hijacked traffic for Visa, MasterCard, and Symantec, just eight months earlier.
In August 2017, an error on Google's part led to a BGP hijack that led to a country-wide outage in Japan.
Back in October 2017, two US government agencies, the aforementioned NIST and the Department of Homeland Security (DHS) Science and Technology Directorate, started a joint project named Secure Inter-Domain Routing (SIDR) with the explicit purpose of securing the BGP protocol from such attacks.
"The overall defensive effort will use cryptographic methods to ensure routing data travels along an authorized path between networks," the NCCoE at NIST said in a press release at the time.
"There are three essential components of the IETF SIDR effort: The first, Resource Public Key Infrastructure (RPKI), provides a way for a holder of a block of internet addresses--typically a company or cloud service provider--to stipulate which networks can announce a direct connection to their address block; the second, BGP Origin Validation, allows routers to use RPKI information to filter out unauthorized BGP route announcements, eliminating the ability of malicious parties to easily hijack routes to specific destinations. The third component, BGP Path Validation (also known as 'BGPsec'), is what is described in the suite of draft standards (RFCs 8205 through 8210) the IETF has just published."
Note: RPKI is a product of the IETF's SIDR Working Group, not NIST or DHS, but they were included and are now part of the final NIST&DHS SIDR project.
Earlier this week, the NIST and DHS teams published their first draft of the BGP Route Origin Validation (ROV) standard.
"The example implementation described in this guide aims to protect the integrity and improve the resiliency of Internet traffic exchange by verifying the source of the route," NIST said in a press release this week.
"Our standards-based example solution uses commercially available products and can be used in whole or in part. It can also be used as a reference to help an organization design its own, custom solution."
Also: 7 tips for SMBs to improve data security TechRepublic
The draft is open for comments from the general public and private sector until October 15, when it will move on to obtaining approval from the IETF (the Internet Engineering Task Force), the organization that approves Internet-wide standards.
Previous and related coverage:
Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.
This simple advice will help to protect you against hackers and government surveillance.
Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.