Jan 29, 2024

Three Quick Guidelines to Help Your Organization Stay Safe from RPKI-Related Hacking

The January 3 hijacking of Orange España’s RIPE NCC account and the resulting havoc caused by the breach threw the importance of trustworthy global Internet routing into high relief. After an insecure password was stolen via malware and found in a publicly accessible leak of such stolen information, a hacker was able to access the company’s RIPE NCC account and assign inaccurate Route Origin Authorizations (ROAs) to it. The hacker then changed the password to the company’s RIPE NCC account and logged out, preventing Orange España from quickly undoing the damage.

How the Hack Happened: A New Kind of Denial of Service

ROAs are created and cryptographically signed by a given network and help define the blocks of IP addresses that a network is authorized to advertise. Based on its location, a given network logs into its account at one of five regional Internet registries (RIRs) (of which RIPE NCC is one) around the world to create and modify its ROAs.

Via the Resource Public Key Infrastructure (RPKI), other networks access these ROAs to match IP address prefixes to the networks authorized to advertise them. This helps maintain the trustworthiness of Internet routing in the face of either malicious or accidental misrouting. While networks are not required to use ROAs and RPKI, a growing number have begun implementing them to protect themselves and the global Internet as a whole against hijacking, spoofing, distributed denials-of-service (DDoS), and other routing-based issues.

As a result, once Orange Espana’s ROAs were maliciously altered, other Internet networks that use RPKI noted the discrepancy between Orange España’s actual BGP announcements and those that the altered ROAs stated they were permitted to advertise and began blocking Orange España’s traffic.

This isolated Orange España and its downstream customers from parts of the global Internet for several hours before the company diagnosed the problem and restored services.

Simple Guidelines to Implement RPKI and Ensure Routing Security

As part of its mission on behalf of California’s research and education communities, CENIC has long participated in initiatives to ensure safe, trustworthy Internet routing and diagnose related problems (recent examples include participation in MANRS and the use of RouteViews on Pacific Wave), as well as other organizations’ efforts to ensure safe and secure cyberinfrastructure (e.g., the National Science Foundation’s Trusted CI Framework).

CENIC is also committed to RPKI adoption for us and our member institutions. RPKI is an important part of today’s and tomorrow’s secure Internet, but like all powerful tools, it must be implemented correctly. When this is done, the security of the global Internet and the resources and people that use it become vastly more robust.

To that end, we’d like to mention a few simple steps that can be taken by any organization or service provider to prevent this kind of breach.

Always use robust, secure passwords that are difficult to guess, and use an encrypted password management solution. The Orange España password for its RIPE account was unfortunately “ripeadmin,” which could have easily been guessed, even if it hadn’t been leaked. Passphrases are much harder to guess by brute force tactics, and an encrypted password management solution that runs on a specific desktop or browser offers even greater protection.

Always enable multi-factor authentication (MFA) for access to your RIR account. Fortunately, most CENIC member institutions and partner networks are registered through ARIN, the North American RIR, which requires MFA. It is believed that Orange España did not have MFA enabled for its RIPE NCC account. Had it done so, the hacker could not have logged into its account or changed its password.

Always have a clear understanding of both ROAs and exactly who in your organization is empowered to make changes to them. As stated above, ROAs help define the IP addresses that can be advertised by a given network provider. If these ROAs are incorrectly formatted—even if it is only the maximum allowed length of an announced IP address prefix that is incorrectly defined—similar routing havoc can ensue, even if the changes were not made maliciously. (RFC 9319 in fact recommends against using the maxLength parameter in almost all situations.)

Learn More at our 2024 Conference

If you have any questions about any of the topics mentioned above, be sure to register for our Biennial Conference, The Right Connection, in Monterey, CA, on March 25–27, 2024. During the event, CENIC engineers and other networking experts will host presentations and be available for questions and conversations about cybersecurity and many other topics. Be sure to register and book your hotel room today!

Related blog posts

CENIC’s Integrated, Multi-Tool Approach to Network Configuration Management

At the CENIC Biennial Conference, network engineers discussed Network Configuration Management (NCM) at CENIC – how and why it was implemented, the components that comprise it, how it’s used, and its potential for the future.

From the Ground to the Stars: Critical Big-Data Research in Africa

Learn about critical data-dependent research collaborations currently taking place in the nations of Africa, all of which require integration into the global high-performance network and cyberinfrastructure environments.