U.S. plots major upgrade to Internet router security

Millions to be spent adding cryptography to BGP

There has been a long history of attacks on the DNS ranging from brute-force denial-of-service attacks to targeted attacks requiring specialized software. In July 2008 a new DNS cache-poisoning attack was unveiled that is considered especially dangerous because it does not require substantial bandwidth or processor resources nor does it require sophisticated techniques. Let's take a look at how DNS cache poisoning works and what can be done to prevent it.

There has been a long history of attacks on the DNS ranging from brute-force denial-of-service attacks to targeted attacks requiring specialized software. In July 2008 a new DNS cache-poisoning attack was unveiled that is considered especially dangerous because it does not require substantial bandwidth or processor resources nor does it require sophisticated techniques. Let's ...

The U.S. federal government is accelerating its efforts to secure the Internet's routing system, with plans this year for the Department of Homeland Security to quadruple its investment in research aimed at adding digital signatures to router communications.

DHS says its routing security effort will prevent routing hijack attacks as well as accidental misconfigurations of routing data. The effort is nicknamed BGPSEC because it will secure the Internet's core routing protocol known as the Border Gateway Protocol (BGP). (A separate federal effort is under way to bolster another Internet protocol, DNS, and it is called DNSSEC.)

Read about the six worst Internet routing attacks

Douglas Maughan, program manager for cybersecurity R&D in the DHS Science and Technology Directorate, says his department's spending on router security will rise from around $600,000 per year during the last three years to approximately $2.5 million per year starting in 2009. (BGP projects in the pipeline.")

"BGPSEC is going to take a couple of years to go through the process of development and prototypes and standardization," Maughan says. "We're really talking . . . four years out, if not longer, before we see deployment."

Experts hailed the move, saying BGP is one of the Internet's weakest links.

"The reason BGP problems are so serious is that they attack the Internet infrastructure, rather than particular hosts. This is why it is a DHS-type of problem," says Steve Bellovin, a professor of computer science at Columbia University who has worked with DHS on routing security.

BGP is "one of the largest threats on the Internet. It's incredible -- the insecurity of the routing system," says Danny McPherson, CSO at Arbor Networks. "Over the last 15 years, the security of the Internet routing system has done nothing but deteriorate."

McPherson says routing security has been a chicken-and-egg problem for the Internet engineering community.

"There doesn't exist a formally verifiable source for who owns what address space on the Internet, and absent that you can't really validate the routing system," McPherson says.

With its extra funding, DHS hopes to develop ways to authenticate IP address allocations as well as router announcements about how to reach blocks of IP addresses.

"The hijacking attempts that have gone on with routing are much more nefarious than the ones in the DNS," says Mark Kosters, CTO of the American Registry for Internet Numbers (ARIN), adding that DNS attacks tend to get more press. "People don't realize how open for attack the BGP structure is. The DHS effort is trying to close that all up."

BGP security targeted in 2003

The U.S. federal government first discussed the vulnerability of the Internet's routing system in its " National Strategy to Secure Cyberspace," which was issued in 2003. The Presidential directive identified two Internet protocols -- BGP and DNS -- that require modifications to make them more secure and robust.

Since then, the feds have made progress on adding authentication to DNS. Last fall, the U.S. federal government announced that it would adopt DNS security extensions known as DNSSEC across its .gov domain by the end of 2009. The feds also are exploring ways to deploy DNSSEC on the DNS root servers.

Join the newsletter!

Or
Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags bgpDNS

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Carolyn Duffy Marsan

Network World (US online)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?