fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

ARIN Will Take Down its RPKI for 30 Minutes to Test Your BGP Routes

ARIN Will Take Down its RPKI for 30 Minutes to Test Your BGP Routes

As more and more networks are implementing Resource Public Key Infrastructure (RPKI) validation and signing of their BGP routes—to protect themselves against route hijacks and leaks, what should happen in case the critical RPKI goes down?

This is the thought process behind the latest announcement from the American Registry for Internet Numbers (ARIN), which operates critical RPKI infrastructure relied on by many.

ARIN plans on performing unannounced maintenance of its RPKI, sometime in July, for about thirty minutes to check if networks are adhering to BGP best practices.

RPKI is a cryptographic framework designed to secure the Internet’s routing infrastructure, primarily Border Gateway Protocol (BGP).

Last month, as reported by BleepingComputer, one of America’s largest broadband providers, Comcast implemented RPKI on its network to block BGP hijacking attacks and leaks.

In April this year, a major BGP leak had disrupted thousands of networks globally, prompting the need for networks to strengthen BGP route security.

ARIN to temporarily take down its RPKI by surprise

This week, ARIN announced that they plan on taking down their RPKI by surprise, for about 30 minutes, sometime in July this year.

The rationale behind this drill is that, should ARIN’s critical RPKI, which is relied on by many, ever face disruptions or outages, networks should be prepared to fall back to routing on unvalidated announcements.

This is one of the many best practices, described in RFC 7115:

RFC 7115 states RPKI-validated routing announcements should be preferred, without rejecting those lacking the validations

“We want to ensure that ARIN and the greater RPKI community are prepared in the unlikely event that access to ARIN’s RPKI repository becomes unavailable.”

Also Read: The 5 Phases of Penetration Testing You Should Know

“To that end, we encourage operators utilizing ARIN’s RPKI repository data to follow the best practices as described in RFC 7115 / BCP 185 – specifically falling back to routing on unvalidated announcements (i.e. NotFound validity state) in the absence of RPKI data availability,” says Brad Gorman, Senior Product Owner, Routing Security at ARIN.

As such, organizations that rely on ARIN’s RPKI route classification should review their operational model before next month, which is when the surprise maintenance will occur.

How does ARIN fit into the big picture?

ARIN is one of the five Regional Internet Registries (RIRs) making the RPKI work:

ARIN is one of the Regional Internet Registries (RIRs) supporting RPKI (Cloudflare)

RPKI is a cryptographic framework designed to secure BGP, the internet’s routing infrastructure, and it works by signing records that associate a route with an originating AS number.

RIRs, like ARIN, provide a way for members to take an IP-ASN pair and sign an ROA (Route Origin Authorization) record.

An ROA is a digitally signed object that, as a part of the RPKI system, enables anyone to verify whether an IP address block holder has authorized an AS (Autonomous System) to originate routes to one or more prefixes within that address block:

Role of RIRs, like ARIN, in signing IP-ASN pairs for RPKI (Cloudflare)

As retired Cloudflare engineer, Martin Levy explains it himself:

“Because any route can be originated and announced by any random network, independent of its rights to announce that route, there needs to be an out-of-band method to help BGP manage which network can announce which route,” says Levy.

“That system exists today. It’s part of the IRR (Internet Routing Registry) system.”

“Many registries exist, some run by networks, some by RIRs (Regional Internet Registries) and the grand daddy of IRRs, Merit’s RADB service. This service provides a collective method to allow one network to filter another network’s routes,” Levy further explains.

Also Read: Got Hacked? Here Are 5 Ways to Handle Data Breaches

Last year, IBM suffered a global outage due to “incorrect” BGP routing, as reported by BleepingComputer. For those interested, the report also goes over the basics of BGP routing and hijacking.

As more and more networks adopt RPKI, this move by ARIN encourages networks and AS owners to investigate and become ready with a fail-safe plan.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us