MANRS

By: Jamal Charles –  Member of the Internet Society St. Vincent and the Grenadines (ISOC SVG)

 


WHAT IS ROUTING?

Routing refers to the process in which routers learn about networks remote, find all possible routes to reach them and then they choose the best routes (the fastest) to exchange data between themselves. In other words, routers decide – after examining the IP address of destination- where to send the packets, so that eventually they reach your network destination, or simply discard the packages if, for some reason, they fail all attempts to route them. However, initially a router does not know of any other network than the which is directly connected to the router itself. So that a router can to carry out routing, you must first know of the existence of networks remote and as we explained earlier for this to happen the router has need to be configured with dynamic routing and / or static routing


The routing decision is made according to the ‘routing table’ maintained by the router, which is a list of preferred routes to various networks. When a packet is received, the router looks up the packet’s destination IP in the routing table, finds the best match, and then sends the packets to the specified interface and gateway IP address. In the Vigor Router, the routing table is displayed on the Diagnostics> Routing Table page. In the routing table, if the network IP address is duplicated and the network overlaps each other, the entry with the longest subnet mask is preferred as it represents a more specific network. On the other hand, the entry with the 0.0.0.0 subnet mask covering all IP addresses is the least preferable route, but it is also the default route for IP addresses that are not specified in the routing table. For the Vigor Router, the default route is usually WAN 1. The Vigor Router builds its routing table using direct connections, such as WAN and active LAN. When VPN connections are established, information about the network will be automatically added to the routing table. You can also add more routing information in static or dynamic routing.


Static Routing

Static routing is routing information added manually by the network administrator. This will provide information to the router about the network it is capable of reaching, even if it is not directly connected.

Dynamic Routing

 Dynamic Routing allows the router to automatically obtain routing information from other routers. This can not only reduce the time that the network administrator spends configuring static routes (especially when the network grows), but also allows the router to be flexible to changes in the network, such as a failure of a link, or topology changes.

Policy Based Routing

Policy-based routing is routing according to the policies configured by the network administrator. The main difference between policy-based routing and static / dynamic routing is that the former allows the router to make routing decisions based not only on the destination IP address, but also on criteria such as protocol, source IP address, and port of destination. This means that the main purpose of policy-based routing is not to select the route that is most suitable for reaching the destination, but rather to establish a regulation to restrict certain types of traffic along a certain route. For example, we can make traffic from time-sensitive applications (for example, VoIP) always take the most reliable route on the Internet; or restrict the high-cost Internet line only for critical services.

MANRS. The Mutually Agreed Norms for Routing Security (MANRS) is a global initiativesupported by the Internet Society, to work with operators, enterprises, and policymakers to implement crucial fixes needed to reduce the most common routing threats.

MANRS ‘goal is to ensure a secure and resilient Internet by protecting its routing infrastructure. In 2017 alone, more than 14,000 routing disruptions or attacks, such as hijacking, leaks, or counterfeiting, resulted in stolen data, lost revenue, and reputational damage.

MANRS focuses on four defensive actions that can reduce the most common routing threats:

Filtering, to help combat the spread of incorrect routing information and to ensure correct operator and client routing announcements to adjacent networks;

Anti-spoofing, a measure that allows network operators to validate source addresses, in order to prevent packets with an incorrect source IP address from entering and leaving the network;

Coordination, to ensure that network operators keep updated contact information up-to-date in common routing databases;

Global Validation – Facilitating validation of routing information on a global scale

In what follows there will be a focus on spoofing :

What is a Spoofing Attack?

spoofing attack is a type of cyber attack where an intruder imitates another legitimate device or user to launch an attack against the network. In other words an attacker sends a communication from a device disguised as a legitimate device. There are many different ways that spoofing attacks can be attempted from IP address spoofing attacks to ARP spoofing attacks.

Why are Spoofing Attacks Such a Threat?

Spoofing attacks are a widespread problem because they don’t draw the same level of attention as other attacks. While ransomware caught the attention of organizations around the world during the wannacry attack, many organizations underplay the damage that can be caused by a successful spoofing attack.

Spoofing attacks are a tricky entity because they can occur in so many different ways. From ARP spoofing to IP spoofing and DNS spoofing, there are many concerns to keep track of that it isn’t surprising many organizations fail to cover everything. An email spoofing attack can be launched simply by replying to the wrong email!

In many cases, this is exacerbated as business owners make the dangerous misconception that their company is a small fish in a big pond. Unfortunately, nobody is safe from IP spoofing. Without the right training or equipment, a moderately-skilled attacker can sidestep your defenses and access your data at will.

Having an awareness of all main forms of spoofing attacks and implementing measures to stay protected against them is the only way to safeguard your organization. In the next section, we’re going to look at some of the types of spoofing attack you can experience.

Types of Spoofing Attacks

As mentioned above, spoofing attacks come in many different forms. We’ll look at the most common types of spoofing attacks that organizations encounter on a daily basis. We’ll also look at how these attacks can be detected before looking at how to prevent them altogether in the next section. Here is a list of spoofing attack types:

  • ARP Spoofing Attack
  • IP Spoofing Attack
  • Email Spoofing Attack
  • DNS Spoofing Attack

ARP Spoofing Attack

An ARP spoofing attack is an attack that uses the Address Resolution Protocol to fish for information. In an ARP spoofing attack the attacker sends ARP messages out across a network in an attempt to connect their MAC address with the IP address of a member of staff. The attacker waits quietly on the network until they manage to crack the IP address.

Once the IP address has been cracked, the attacker can intercept data in between the computer and the router. Then data sent to the member of staff is actually sent on to the attacker’s IP address. The end result is data in the hands of the attacker. The attacker can then use IP addresses throughout your network against you to launch a denial-of-service DOS attack. One of the most important things to note about ARP spoofing attacks is that they can only work on LANs that use the ARP protocol.

How to Detect an ARP Spoofing Attack

There are a number of ways that you can detect an ARP spoofing attack. One simple way to check if an unwanted intruder is spoofing on your network is to open up the command line and enter the following:

arp-a

This command will show you the ARP table of your device. You want to look through the table and see if any IP addresses are sharing the same MAC address. If two IP addresses are sharing the same MAC address then this means that there is an intruder on the network.

IP Spoofing Attack

An IP spoofing attack is where an attacker tries to impersonate an IP address so that they can pretend to be another user. During an IP address spoofing attack the attacker sends packets from a false source address. These packets are sent to devices within the network and operate much like a DoS attack. The attacker uses multiple packet addresses to overwhelm a device with too many packets.

How to Detect an IP Spoofing Attack

As one of the more popular types of spoofing attacks, IP spoofing attacks can be detected through the use of a network analyzer or bandwidth monitoring tool. Monitoring your network will allow you to monitor normal traffic usage and recognize when anomalous traffic is present. This gives you a heads-up that something isn’t right so you can investigate further.

In particular, you’re looking to pay attention to IP addresses and flow data that can point you to illegitimate traffic. Catching IP spoofing attacks early is especially important because they often come as part of DDoS (Direct Denial of Service) attacks which can take the entire network offline.

General Tips on How to Prevent Common Spoof Attacks

Confronting spoofing attacks is all about being proactive. There are a range of steps you can implement into your organization to keep yourself protected from spoofing attacks. Some of the main ways are shown below:

  • Packet Filtering – Packet filters inspect packets in transit. Packet filtering can help you to prevent IP address spoofing attacks because they block packets with incorrect source address information.
  • Stop using trust relationships – Trust relationships are where networks only use IP addresses to authenticate devices. Eliminating trust relationships provides an extra layer of security.
  • Deploy a spoof detection tool – Many vendors have produced spoof detection tools in an attempt to limit the spread of ARP spoofing attacks. These tools are designed to inspect data and block data which isn’t legitimate.
  • Use encrypted protocols – Encrypting data in transit can be a great way to prevent attackers from being able to view or interact with data. HTTP Secure (HTTPS), Transport Layer Security (TLS), and Secure Shell (SSH) are protocols that can all keep cyber attackers away.
  • Deploy antivirus software on your devices – Using antivirus software on your devices will make sure that they can deal with any malicious software that has been planted.
  • Install firewalls on your network – A firewall will help to keep unwanted intruders out and ensure your network stays protected.
  • Start using VPNs – A VPN or a Virtual Private network encrypts data so that it cannot be read by external party.

One of the key elements of prevention is awareness. In order to stay protected against spoofing attacks, you need to be aware of the risks associated with them. This comes with recognizing that trust-based authentication is a liability. Likewise, if you’re not monitoring your network traffic you can only guess that your network is behaving as it should be.

How to Prevent an ARP Spoofing Attack

ARP spoofing attacks appear quite complex on the surface but the methods you can use to prevent them are actually quite simple. Using a combination of VPNs, anti ARP spoofing tools and packet filtering is key to keeping these attacks at bay:

  • Use a Virtual Private Network (VPN) – Using a VPN will allow you to keep your traffic protected via encryption. This means that even if your network falls victim to ARP spoofing the attacker won’t be able to access any of your data because it has been encrypted.
  • Anti ARP Spoofing Tools – You can also download an anti ARP spoofing tool. Anti ARP spoofing tools can help to detect and fight off incoming ARP attacks. Tools like ARP AntiSpoofer and shARP are two popular anti-spoofing tools.
  • Packet Filtering – Packet filtering is used to filter incoming packets and prevent compromised packets from questionable sources. This means that if someone attempts to launch an ARP attack you will be able to fight it off.

How to Prevent an IP Spoofing Attack

Ensuring that all IP addresses present on your network are legitimate can be a tall task but it is manageable. Dealing with IP spoofing attacks is reliant upon making a number of key changes to your day-to-day operations:

  • Use an access control list – An access control list allows you to deny private IP addresses from interacting with your network. This will prevent many attacks from getting off the ground.
  • Packet Filtering – Packet filtering keeps coming up but is one of the best ways to control what traffic is permitted on your network. By filtering traffic you can block traffic from suspicious sources.
  • Authentication – Authenticating interactions between devices on your network will help to make sure that nothing has been spoofed.
  • Change Router and Switch Configurations – Configure your routers and switches to reject incoming packets from outside of the local network which are spoofing an internal origination.

Guiding Principles for Anti-Spoofing Architectures

To be as effective as possible anti-spoofing techniques should be applied as close to the source as possible. In enterprise networks, the source addresses used by every device are often controlled and enforced so that security audits can pinpoint exactly which device sent which packet.

For a successful implementation of MANRS, such fine granularity at the device level is not necessary as MANRS focuses on routing security and anti-spoofing on a network level. Therefore common anti-spoofing architectures focus on making sure that customers don’t send packets with the wrong source addresses.

Enforcing the use of valid source addresses on a customer level has the benefit that customers can’t spoof each other’s addresses, which prevents them from causing problems for each other that are hard to debug.

If for some reason it is not possible to enforce source address usage per customer, then an alternative is to enforce it at aggregation points so that customers are at least limited in which addresses they can spoof. At a minimum, there should be anti-spoofing at the ISP level so that customers can’t spoof addresses of other organizations and cause trouble on an Internet-wide scale.