Network owners in Australia and New Zealand need to do more to secure their routing infrastructure, according to a study published by the Mutually Agreed Norms for Routing Stability (MANRS) organisation.
Study co-author Terry Sweetser, writing at the MANRS site, said the state of routing infrastructure in the two countries exposes business, governments and citizens to the risk of “data loss, theft, or interrupted critical services”.
MANRS is an initiative to try and address routing threats on a global basis.
Sweetser wrote that the study [pdf] looked at whether private and public institutions’ websites accepted connections from “clearly invalid sources of traffic”, and whether networks hosting those sites were taking measures to avoid route hijacks.
In both cases, he said results were “concerning”.
The first test focused on networks’ implementation of route origin validation, by making connection attempts using valid and invalid route origin authorisations (ROAs).
In Australia, over 35 percent of websites with .com.au domains accepted traffic from invalid sources, the research showed, while that figure was just over 30 percent for websites with .co.nz domains.
Sweetser said the implication of accepting traffic from invalid origins “strongly suggests these sites could be accessed from hijacked addresses. Moreover, various networks serving these websites were allowing traffic to move over their networks without a check of the route origin.”
That, he said, means some upstream providers “are passing traffic between the invalid origin and remote websites”.
In other words, not all networks in Australia and New Zealand are working to keep their routing secure.
“Many of these networks provide services to important government services. Furthermore, under these circumstances, a routing hijack would adversely affect these networks and those services," Sweetser wrote.
The research comes at an appropriate moment, given that earlier this month the Australian Cyber Security Centre published updated guidelines for gateways – including Border Gateway Protocol implementations – in its Information Security Manual.
