By: Jamal Charles – Member of the Internet Society St. Vincent and the Grenadines (ISOC SVG)
Routing refers to the process in which routers learn about networks remote, find all possible routes to reach them and then they choose the best routes (the fastest) to exchange data between themselves. In other words, routers decide – after examining the IP address of destination- where to send the packets, so that eventually they reach your network destination, or simply discard the packages if, for some reason, they fail all attempts to route them. However, initially a router does not know of any other network than the which is directly connected to the router itself. So that a router can to carry out routing, you must first know of the existence of networks remote and as we explained earlier for this to happen the router has need to be configured with dynamic routing and / or static routing
The routing decision is made according to the ‘routing table’ maintained by the router, which is a list of preferred routes to various networks. When a packet is received, the router looks up the packet’s destination IP in the routing table, finds the best match, and then sends the packets to the specified interface and gateway IP address. In the Vigor Router, the routing table is displayed on the Diagnostics> Routing Table page. In the routing table, if the network IP address is duplicated and the network overlaps each other, the entry with the longest subnet mask is preferred as it represents a more specific network. On the other hand, the entry with the 0.0.0.0 subnet mask covering all IP addresses is the least preferable route, but it is also the default route for IP addresses that are not specified in the routing table. For the Vigor Router, the default route is usually WAN 1. The Vigor Router builds its routing table using direct connections, such as WAN and active LAN. When VPN connections are established, information about the network will be automatically added to the routing table. You can also add more routing information in static or dynamic routing.
Static routing is routing information added manually by the network administrator. This will provide information to the router about the network it is capable of reaching, even if it is not directly connected.
Dynamic Routing allows the router to automatically obtain routing information from other routers. This can not only reduce the time that the network administrator spends configuring static routes (especially when the network grows), but also allows the router to be flexible to changes in the network, such as a failure of a link, or topology changes.
Policy Based Routing
Policy-based routing is routing according to the policies configured by the network administrator. The main difference between policy-based routing and static / dynamic routing is that the former allows the router to make routing decisions based not only on the destination IP address, but also on criteria such as protocol, source IP address, and port of destination. This means that the main purpose of policy-based routing is not to select the route that is most suitable for reaching the destination, but rather to establish a regulation to restrict certain types of traffic along a certain route. For example, we can make traffic from time-sensitive applications (for example, VoIP) always take the most reliable route on the Internet; or restrict the high-cost Internet line only for critical services.
MANRS. The Mutually Agreed Norms for Routing Security (MANRS) is a global initiative, supported by the Internet Society, to work with operators, enterprises, and policymakers to implement crucial fixes needed to reduce the most common routing threats.
MANRS ‘goal is to ensure a secure and resilient Internet by protecting its routing infrastructure. In 2017 alone, more than 14,000 routing disruptions or attacks, such as hijacking, leaks, or counterfeiting, resulted in stolen data, lost revenue, and reputational damage.
MANRS focuses on four defensive actions that can reduce the most common routing threats:
Filtering, to help combat the spread of incorrect routing information and to ensure correct operator and client routing announcements to adjacent networks;
Anti-spoofing, a measure that allows network operators to validate source addresses, in order to prevent packets with an incorrect source IP address from entering and leaving the network;
Coordination, to ensure that network operators keep updated contact information up-to-date in common routing databases;
Global Validation – Facilitating validation of routing information on a global scale
In what follows there will be a focus on spoofing :
A spoofing attack is a type of cyber attack where an intruder imitates another legitimate device or user to launch an attack against the network. In other words an attacker sends a communication from a device disguised as a legitimate device. There are many different ways that spoofing attacks can be attempted from IP address spoofing attacks to ARP spoofing attacks.
Spoofing attacks are a tricky entity because they can occur in so many different ways. From ARP spoofing to IP spoofing and DNS spoofing, there are many concerns to keep track of that it isn’t surprising many organizations fail to cover everything. An email spoofing attack can be launched simply by replying to the wrong email!
In many cases, this is exacerbated as business owners make the dangerous misconception that their company is a small fish in a big pond. Unfortunately, nobody is safe from IP spoofing. Without the right training or equipment, a moderately-skilled attacker can sidestep your defenses and access your data at will.
Having an awareness of all main forms of spoofing attacks and implementing measures to stay protected against them is the only way to safeguard your organization. In the next section, we’re going to look at some of the types of spoofing attack you can experience.
Types of Spoofing Attacks
As mentioned above, spoofing attacks come in many different forms. We’ll look at the most common types of spoofing attacks that organizations encounter on a daily basis. We’ll also look at how these attacks can be detected before looking at how to prevent them altogether in the next section. Here is a list of spoofing attack types:
An ARP spoofing attack is an attack that uses the Address Resolution Protocol to fish for information. In an ARP spoofing attack the attacker sends ARP messages out across a network in an attempt to connect their MAC address with the IP address of a member of staff. The attacker waits quietly on the network until they manage to crack the IP address.
Once the IP address has been cracked, the attacker can intercept data in between the computer and the router. Then data sent to the member of staff is actually sent on to the attacker’s IP address. The end result is data in the hands of the attacker. The attacker can then use IP addresses throughout your network against you to launch a denial-of-service DOS attack. One of the most important things to note about ARP spoofing attacks is that they can only work on LANs that use the ARP protocol.
There are a number of ways that you can detect an ARP spoofing attack. One simple way to check if an unwanted intruder is spoofing on your network is to open up the command line and enter the following:
This command will show you the ARP table of your device. You want to look through the table and see if any IP addresses are sharing the same MAC address. If two IP addresses are sharing the same MAC address then this means that there is an intruder on the network.
An IP spoofing attack is where an attacker tries to impersonate an IP address so that they can pretend to be another user. During an IP address spoofing attack the attacker sends packets from a false source address. These packets are sent to devices within the network and operate much like a DoS attack. The attacker uses multiple packet addresses to overwhelm a device with too many packets.
As one of the more popular types of spoofing attacks, IP spoofing attacks can be detected through the use of a network analyzer or bandwidth monitoring tool. Monitoring your network will allow you to monitor normal traffic usage and recognize when anomalous traffic is present. This gives you a heads-up that something isn’t right so you can investigate further.
In particular, you’re looking to pay attention to IP addresses and flow data that can point you to illegitimate traffic. Catching IP spoofing attacks early is especially important because they often come as part of DDoS (Direct Denial of Service) attacks which can take the entire network offline.
Confronting spoofing attacks is all about being proactive. There are a range of steps you can implement into your organization to keep yourself protected from spoofing attacks. Some of the main ways are shown below:
One of the key elements of prevention is awareness. In order to stay protected against spoofing attacks, you need to be aware of the risks associated with them. This comes with recognizing that trust-based authentication is a liability. Likewise, if you’re not monitoring your network traffic you can only guess that your network is behaving as it should be.
ARP spoofing attacks appear quite complex on the surface but the methods you can use to prevent them are actually quite simple. Using a combination of VPNs, anti ARP spoofing tools and packet filtering is key to keeping these attacks at bay:
Ensuring that all IP addresses present on your network are legitimate can be a tall task but it is manageable. Dealing with IP spoofing attacks is reliant upon making a number of key changes to your day-to-day operations:
To be as effective as possible anti-spoofing techniques should be applied as close to the source as possible. In enterprise networks, the source addresses used by every device are often controlled and enforced so that security audits can pinpoint exactly which device sent which packet.
For a successful implementation of MANRS, such fine granularity at the device level is not necessary as MANRS focuses on routing security and anti-spoofing on a network level. Therefore common anti-spoofing architectures focus on making sure that customers don’t send packets with the wrong source addresses.
Enforcing the use of valid source addresses on a customer level has the benefit that customers can’t spoof each other’s addresses, which prevents them from causing problems for each other that are hard to debug.
If for some reason it is not possible to enforce source address usage per customer, then an alternative is to enforce it at aggregation points so that customers are at least limited in which addresses they can spoof. At a minimum, there should be anti-spoofing at the ISP level so that customers can’t spoof addresses of other organizations and cause trouble on an Internet-wide scale.
Copyright @ Internet Society St. Vincent and the Grenadines Chapter (ISOC SVG). All Rights Reserved.