You Can Check To See If Your ISP Properly Implements BGP To Protect You
“Is BGP Safe Yet” is a new site that names and shames internet service providers that don’t tend to their routing in a secure manner. This is important because of this reason laid out by Wired:
For more than an hour at the beginning of April, major sites like Google and Facebook sputtered for large swaths of people. The culprit wasn’t a hack or a bug. It was problems with the internet data routing standard known as the Border Gateway Protocol, which had allowed significant amounts of web traffic to take an unexpected detour through a Russian telecom. For Cloudflare CEO Matthew Prince, it was the last straw. BGP disruptions happen frequently, generally by accident. But BGP can also be hijacked for large-scale spying, data interception, or as a sort of denial of service attack.
OnFriday, the company launched Is BGP Safe Yet, a site that makes it easier for anyone to check whether their internet service provider has added the security protections and filters that can make BGP more stable. Those improvements are most effective with wide adoption from ISPs, content delivery networks like Cloudflare, and other cloud providers. Cloudflare estimates that so far about half of the internet is more protected thanks to heavy hitters like AT&T, the Swedish telecom Telia, and the Japanese telecom NTT adopting BGP improvements. And while Cloudflare says it doesn’t seem like the Rostelecom incident was intentional or malicious, Russian telecoms do have a history of suspicious BGP meddling, and similar problems will keep cropping up until the whole industry is on board.
Now out of interest, I tested this with Rogers who is my telco. Unsurprisingly they failed:
The reason why I said “unsurprisingly” is that there are a bunch of reasons why an ISP like Rogers might fail a test like this. The biggest one is that infrastructure equipment companies may not properly implement BGP protections. And it is said that 50% of ISPs worldwide may fail this test. But by highlighting the ISPs that do fail, it may motivate them to do something about it and make the Internet a better place for all. Thus I encourage you to use this test with your ISP and place the result on Twitter, which is made easier by the button that they have on the site allowing you to do that with the following result:
Unfortunately, my Internet provider, @Rogers (AS812), does NOT implement BGP safely. Check out https://t.co/hNN3n8lfYW to see if your ISP implements BGP in a safe way or if it leaves the Internet vulnerable to malicious route hijacks. via @Cloudflare
This entry was posted on April 20, 2020 at 2:54 pm and is filed under Commentary with tags Cloudflare. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
You Can Check To See If Your ISP Properly Implements BGP To Protect You
“Is BGP Safe Yet” is a new site that names and shames internet service providers that don’t tend to their routing in a secure manner. This is important because of this reason laid out by Wired:
For more than an hour at the beginning of April, major sites like Google and Facebook sputtered for large swaths of people. The culprit wasn’t a hack or a bug. It was problems with the internet data routing standard known as the Border Gateway Protocol, which had allowed significant amounts of web traffic to take an unexpected detour through a Russian telecom. For Cloudflare CEO Matthew Prince, it was the last straw. BGP disruptions happen frequently, generally by accident. But BGP can also be hijacked for large-scale spying, data interception, or as a sort of denial of service attack.
That’s where “Is BGP Safe Yet” comes in:
On Friday, the company launched Is BGP Safe Yet, a site that makes it easier for anyone to check whether their internet service provider has added the security protections and filters that can make BGP more stable. Those improvements are most effective with wide adoption from ISPs, content delivery networks like Cloudflare, and other cloud providers. Cloudflare estimates that so far about half of the internet is more protected thanks to heavy hitters like AT&T, the Swedish telecom Telia, and the Japanese telecom NTT adopting BGP improvements. And while Cloudflare says it doesn’t seem like the Rostelecom incident was intentional or malicious, Russian telecoms do have a history of suspicious BGP meddling, and similar problems will keep cropping up until the whole industry is on board.
Now out of interest, I tested this with Rogers who is my telco. Unsurprisingly they failed:
The reason why I said “unsurprisingly” is that there are a bunch of reasons why an ISP like Rogers might fail a test like this. The biggest one is that infrastructure equipment companies may not properly implement BGP protections. And it is said that 50% of ISPs worldwide may fail this test. But by highlighting the ISPs that do fail, it may motivate them to do something about it and make the Internet a better place for all. Thus I encourage you to use this test with your ISP and place the result on Twitter, which is made easier by the button that they have on the site allowing you to do that with the following result:
There’s nothing like bad press on Twitter to get the attention of those who run ISPs.
Share this:
Like this:
Related
This entry was posted on April 20, 2020 at 2:54 pm and is filed under Commentary with tags Cloudflare. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.