Categories
Internet Governance

2014 – A Crucial Year for the Internet

We are quickly approaching the mid-point in a pivotal year for the evolution of the Internet. 

I recently spoke at the INET Istanbul, which offered another important opportunity for multistakeholder dialogue on critical Internet issues. The INET provided a bridge between two important meetings — just one month after NETmundial in São Paulo, Brazil and a few months ahead of the 9th meeting of the Internet Governance Forum (IGF), which will also be held in Istanbul in early September. These meetings call upon the international community to reflect on the kind of Internet we want and how we want to answer the many open questions related to its governance and its future.

The core values of the Internet pioneers are deeply rooted in the belief that the human condition can be enhanced through reducing barriers to communication and information. As such, the success of the Internet is based on an open and collaborative approach to policy, standards, and technology development. Without open standards, the Internet would not be the powerful catalyst it is for access to information, freedom of expression, and innovation. 

Unfortunately, there have been, and currently are, many examples of governments using technological measures to restrict access to content deemed undesirable. In fact, the debate on Internet governance is seen by many as another attempt by authoritarian governments to stifle the medium and to gain control over its content.

Internet Governance, the Multistakeholder Process and NETmundial

There are many dimensions to the debate on Internet governance, and the recent NETmundial was a strong signal to the world that the community is seeking to fulfill its commitment towards gaining a better understanding of all those dimensions.

The most important outcome from NETmundial was its endorsement of the multistakeholder model of Internet governance: the conference proved that all stakeholders are able to work together and to move towards convergence and a common understanding on some critical issues. To me, the most encouraging aspect was that governments accepted that other stakeholders had as much to say as they have and that their voice counted as much. This was important, as without a clear signal in this regard, the pressure to move to more traditional, top-down intergovernmental arrangements would have increased and culminated at the Plenipotentiary meeting of the International Telecommunication Union to be held in Busan, Korea, this October.

NETmundial was, however, not able to provide answers to all open questions and concerns. It passed some issues for discussion on to other organizations and platforms, such as the IGF. The IGF is now called upon to produce some tangible outputs.

Next Steps and the IGF

The disclosures last year of pervasive government surveillance programs were akin to a seismic shift in the Internet governance landscape. The large-scale nature of these programs made Internet users realize that the chain of trust ─ which is essential to the good functioning of the Internet ─ had been broken. This realization created a sense of urgency to review current Internet governance arrangements and to rebuild Internet users’ trust in the Internet, its function, and how it fits into society. This was the underlying theme at the 2013 IGF meeting. There was a general agreement that the IGF was the privileged place to pursue these discussions and that the multistakeholder format was the only way forward.

Given the current challenges and given the necessity to restore trust and confidence in the Internet, it is essential to involve all stakeholders, from developed as well as developing countries, in discussions on the future evolution of the Internet. The IGF has proved its worth as a place where the community gathers to share experiences and exchange information. It provides protection, legitimacy, and credibility to the multistakeholder model, since it is the only truly open and inclusive multistakeholder platform under the UN umbrella.

The upcoming IGF in Istanbul should therefore be the starting point for such an evolution. It can take the discussion from NETmundial forward on the long path towards creating a new chain of trust for the Internet and finding a new international consensus on multistakeholder Internet governance.

Categories
Internet Governance

Energizing the Global Conversation on the Future of the Internet

The Internet has reached a critical juncture and faces challenges that threaten to compromise the freedom and openness upon which it was built. There is a growing need to restore the world’s trust and confidence in the global network, and every stakeholder should be included in the dialogue about its future…precisely because it impacts so many, in so many important ways.

The Internet Society is a strong advocate for an open and free Internet. We believe the multistakeholder approach to Internet governance is the only way to ensure the stability, security, and availability of the global infrastructure. To that end, ISOC partnered with Bilgi University to engage key stakeholders at the INET Istanbul for a multistakeholder discussion of important issues.

This INET forms an integral part of our strategic regional engagement with a view to further promote the Internet Society’s multistakeholder process to address critical issues related to the Internet. Both the panel and the audience included civil society, government, business, and academia with Turkish and global Internet leaders.

The agenda reflected issues such as privacy and intellectual property rights which constitute key issues in Turkey and within the wider European region. The conversation was marked by a very open and transparent environment that allowed both the keynote speakers and the panel to discuss, address, and deliberate on some fundamental principles regarding Internet governance, human rights, and the openness of the Internet. There was a wide agreement on the value of the multistakeholder process as well as on a balanced approach to reflect the different stakeholders’ vision as regards to the Internet.

Amongst others, discussions focused on the recent ECJ decision on the right to be forgotten as well as what it means in the context of the European region and globally. There was also some very interesting debate on the relationship between IPR and innovation with particular focus on the notion of “permissionless innovation” and its compatibility with copyright.

The INET Istanbul also served as a touchstone in moving forward the conversations on Internet governance recently addressed at the Sao Paulo NETmundial and in advance of the Internet Governance Forum (IGF) in Istanbul in September.

Indeed the recent NETmundial in São Paulo provided an open and participatory process with thousands of people from governments, private sector, civil society, technical community, and academia discussing current Internet challenges. The conference addressed some basic questions and concerns on Internet governance issues that many have been asking, in various ways, for over a decade. It was widely agreed that the meeting energized the global conversation about the value of the multistakeholder model and the importance of collaborative, bottom-up processes while examining the dimensions of Internet governance, and the complexities therein.

The IGF has proved its worth over the years as the go-to place where the community gathers to exchange information and discuss the future of the Internet. The IGF is well placed to consider the outputs from NETmundial and to discuss how best to move forward to rebuild online trust, along with many other topics.

Whether challenges are related to ensuring the robustness and resiliency of Internet security and privacy, advancing the deployment and development of core Internet infrastructure—or any number of other challenges—we must continue to find ways to solve these issues without undermining the Internet’s fundamental design principles.

The Internet Society looks forward to continuing its collaboration with all stakeholders to build the Internet of the future. The key to finding solutions is an ongoing, open exchange of information and ideas based on the multistakeholder process.

For more information on the INET Istanbul please visit its website.

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) Securing Border Gateway Protocol (BGP)

Turkish Hijacking of DNS Providers Shows Clear Need For Deploying BGP And DNS Security

bgpmon-turkish-hijackOver the weekend there were extremely disturbing reports out of Turkey of escalations in the attempts by the Turkish government to block social media sites such as Twitter and YouTube. The steps now being taken appear to have the Turkish Internet service providers (ISPs) hijacking the routes to public DNS servers such as those operated by Google and masquerading as those DNS servers to provide answers back to their citizens.

Effectively, the Turkish ISPs, operating to comply with a Turkish government ban, are performing a “man-in-the-middle” (MiTM) attack against their citizens and giving them false information.

The Internet Society made a statement on the subject yesterday, explaining its “deep concern” for the situation, and our Chief Internet Technology Officer Leslie Daigle has described how these recent moves “represent an attack not just on DNS infrastructure, but on the global Internet routing system itself.

Background

As we noted ten days ago, ISPs in Turkey started out attempting to implement the government’s ban by simply blocking those sites in DNS. When Turkish citizens tried to go to those social media sites, their device would query DNS to get the correct IP address to connect to.  The Turkish ISPs who were providing the DNS servers used by the Turkish citizens simply failed to give back a response for Twitter and YouTube.

Turkish citizens found they could get around this block by simply changing their devices’ DNS settings to point to open public DNS resolvers such as those operated by Google.

Predictably, the Turkish ISPs then attempted to block the addresses for Google Public DNS servers and other similar servers. The ISPs then started to engage in the typical kind of “whac-a-mole” game with their citizens where the citizens would find new ways to get around the censorship… and the ISPs would then try to shut down those.

BGP Hijacking

Starting this past Saturday, March 29, though, reports started coming in that the Turkish ISPs were taking this to a whole new level by hijacking routing of the Border Gateway Protocol (BGP) and pretending to be Google’s Public DNS servers (and the servers of other similar services).

In other words, the devices operated by Turkish citizens on Turkish networks were connecting to what they thought were Google’s Public DNS servers (and other services) and were getting back answers from those services.

The answers the Turkish citizens were receiving were just the wrong answers.

Instead of going to Twitter or YouTube they were being redirected to sites operated by Turkish ISPs.  Google confirmed this in a post on their Online Security Blog that included in part:

A DNS server tells your computer the address of a server it’s looking for, in the same way that you might look up a phone number in a phone book. Google operates DNS servers because we believe that you should be able to quickly and securely make your way to whatever host you’re looking for, be it YouTube, Twitter, or any other.

But imagine if someone had changed out your phone book with another one, which looks pretty much the same as before, except that the listings for a few people showed the wrong phone number. That’s essentially what’s happened: Turkish ISPs have set up servers that masquerade as Google’s DNS service.

Writing over on the BGPMon blog, Andree Toonk detailed the specifics of the BGP route hijack that took place.  Essentially, the Turkish ISPs started “advertising” a more specific route for Google’s Public DNS servers.  The way BGP works, Google advertises a route for traffic to get to its servers on its network.  As the BGPMon blog post indicates, that is normally a “8.8.8.0/24” route directing people to AS 15169.  However, the Turkish ISPs advertised a specific route for “8.8.8.8/32” that went to their own network.

In BGP, a router typically selects the most specific route as the one to use to connect to a given IP address.  So all the routers on networks connected to Turkish ISPs would use this very specific route instead of the one advertised by Google.

They apparently did this for all of Google’s Public DNS addresses as well as those of other open public DNS providers as well.  Over on the Renesys Blog, Earl Zmijewski shared their observations including showing precisely when the hijacking occurred:

The Turkish ISPs are pretending to be Google’s specific DNS servers to everyone who is connected to their network.

Delivering False DNS Information

The Turkish ISPs went a step further, though, in that they set up their own DNS servers that answered as if they were Google’s Public DNS servers.  As Andree Toonk wrote on the BGPmon blog:

Turk Telekom went one step further, instead of null routing this IP address they brought up servers with the IP addresses of the hijacked DNS servers and are now pretending to be these DNS servers.  These new fake servers are receiving traffic for 8.8.8.8 and other popular DNS providers and are answering DNS queries for the incoming DNS requests. 

Stéphane Bortzmeyer also documented this in a lengthy post on his blog where he used the RIPE NCC’s Atlas probe network to show that DNS answers in Turkey are different from those in other areas.  The Renesys blog post also confirmed this, as did many posts on social media services and other online sites.  A good number of tech media sites have weighed in on the matter as well.

The Need To Secure BGP

From our Deploy360 point of view, this kind of attack against the Internet provides a great case study of why we need to better secure BGP and why we need to get DNSSEC validation more widely deployed.

With BGP, the fact that anyone can advertise a route for any other network means that ISPs can do precisely what the Turkish ISPs have done and hijack routes to masquerade as anyone else.  Clearly this is unacceptable.  As we talk about on our “Securing BGP” page, and is also detailed more deeply in the BGP Operations And Security Internet-Draft, there are efforts underway to deploy “secure origin validation” so that routers in the network know which advertised routes to trust and which ones not to trust.

If the routers on networks in Turkey had secure origin validation in place, when they received the more specific route from the Turkish ISPs they could have checked the origin, realized that the route advertisement was not coming from the operator of the original network and simply disregarded the more specific route. They would have continued to use the original routes that were advertised by the original network operators.

Now, granted, if the ONLY routes from the networks inside of Turkey out to the rest of the Internet are through a small number of large Turkish ISPs who work with the government to enforce banned sites, then this kind of origin validation will not help the “downstream” networks.  While they may disregard the announced specific route because of origin validation, their traffic using the original route will still have to travel through the networks of the small number of large ISPs who can then – within the large ISP networks – perform the BGP hijacking.  However, if any of the downstream networks have alternate Internet connections (and this may not be possible within Turkey) they may be able to use routes going out those connections.

It is also useful to note that secure origin validation could help networks outside of Turkey.  When a government is causing network operators to mess around with the routing tables that make up the fundamental architecture of the Internet, they are playing with fire. One mistake could have a very large impact on the rest of the Internet, such as the time when a Pakistani ISP rerouted global YouTube traffic to a network in Pakistan back in 2008!  In their escalating attempts to block access for Turkish users, it is entirely possible that someone at one of the Turkish ISPs could leak incorrect routes out into the larger Internet.  Secure origin validation running on other networks around the Internet would prevent these incorrect routes from being taken seriously.

Where DNSSEC Would Help

On the DNSSEC side, if the Turkish citizens had DNSSEC-validating DNS resolvers running on their local networks or even better on their actual devices, and if, for instance, Google had DNSSEC-signed the DNS records for their Public DNS servers, then Turkish users would be able to know that they were not getting to the correct servers.  Note that this would not  help them get to new servers… but they would know that they were not getting the correct information. Applications that validated the DNSSEC signatures on information retrieved from DNS could then discard the invalid information and try other ways to get that information.

DNSSEC helps ensure that you are getting to the correct site and not to a site set up by, for example, a spammer or phisher trying to steal your identity. Similarly it could protect you from going to sites set up by a government (or via a government mandate) that are pretending to be a site that they are not. For this to work, of course, the original sites (such as Twitter and YouTube) need to have their DNS information signed with DNSSEC, and users out on the Internet need to have DNSSEC validation happening in their local DNS resolvers.

Which is why we need to get DNSSEC deployed as fast as possible – to ensure that the information that we all get out of DNS is the same information that was put in to DNS by the operators of a given domain… and not the information put in by an attacker, which, in this case, could be ISPs acting on behalf of a government.

Again, this would not necessarily help a Turkish user get to Twitter or YouTube, but would prevent them from going to spoofed sites.  Additionally, if the operating system were validating the DNSSEC signatures on name server records the system could have noticed that the information it was getting back from, for instance, Google’s Public DNS, did not validate with the “global chain of trust” and so could have warned that the DNS information was suspicious (or perhaps chosen to try to use additional DNS servers that did validate correctly).

How To Help

The question now is what we do to strengthen the Internet against these kind of attacks on the Internet’s infrastructure.  Within our area of focus, we have three requests:

1. Understand how to secure BGP, and do so! – Please visit our “Securing BGP” section of the site, read the BGP Operations and Security Internet Draft, look at our BGP content roadmap and see if there are any documents there that you can contribute to help us build out our content and get more people taking these steps to secure their routers.  If you are a network operator, any steps you can take to make your routers more secure will go far.

2. Deploy DNSSEC validation – Wherever you can, turn on DNSSEC validation in any DNS recursive resolvers.  The steps to do so are very simple for the common DNS resolvers.

3. Sign your domains with DNSSEC – If you have a domain registered, see if you can sign it with DNSSEC (here are the steps you need) and if you encounter any issues please raise the issue with your domain name registrar, DNS hosting operator, IT department or whomever is blocking the process.

These steps will make attacks on the Internet’s infrastructure such as those happening in Turkey today more difficult and raise the complexity needed by the attackers.

Beyond these steps, this situation clearly points out the need for a wider diversity of Internet access methods.  Even with these steps above implemented, Turkish users who are limited to only the specific Turkish ISPs have no choice in receiving their default routes and connections.  If more options were to be available in the region, the ability of those users to have access to the information on the Internet would not be restricted.

The Internet needs to be hardened against attacks such as these.  Please help make the Internet stronger!

Categories
Domain Name System (DNS) Growing the Internet Human Rights Open Internet Standards

Turkish ISPs Hijacking Traffic: This is How an Internet Breaks

While we may be tired of hearing about blocked Internet access, the most recent move in Turkey should make us sit up and take notice again, as it represents an attack not just on the DNS infrastructure, but on the global Internet routing system itself.

I would argue that people in Turkey haven’t had real Internet service since mid-March when the Turkish government banned access to, and required the blocking of, Twitter and subsequently YouTube.  As reported, in the most recent effort to comply with the Turkish government mandate, Turkish ISPs have taken aim at the open public DNS services provided by companies such as Google. This is fragmenting the Internet — destroying its very purpose — and the Internet Society has been clear in its position that it should be undone.

This latest move attempts to address a perceived problem: many Turkish Internet users were using the well-known IP address of the Google Public DNS service to circumvent the crippled DNS services offered by their ISP. And with that, they could again access Twitter and YouTube.

While the service that is being blocked is an actual DNS server, the blocking is being performed at a lower level, in the routing system itself. To block access to Google Public DNS servers, Turkish ISPs’ routers are announcing an erroneous and very specific Internet route that includes the well-known IP address. With this modification, the Turkish routers are now lying about how to get to the Google Public DNS service, and taking all the traffic to a different destination. They are lying about where the Google service resides — by hijacking the traffic. Apparently, the ISPs are not just null-routing it (sending into oblivion) — but rather sending the traffic to their own DNS servers which then (wait for it) give out the wrong answers. So, these servers are masquerading as the Google Public DNS service.

Both (a) blocking Twitter and YouTube by returning false DNS results and (b) the use of false routing announcements are attacks on the integrity of the Internet’s infrastructure — DNS and routing. Both of these infrastructure services are imperative to have a global Internet, and they are operated by collective agreement to adhere to Internet protocols and best practices — that’s what puts the “inter” in inter-network.

In 2012, when the US government was contemplating laws that would require ISPs to falsify DNS results in an effort to curtail access to websites offering counterfeit goods (SOPA — “Stop Online Piracy Act” and PIPA — “Protect IP Act”), we put together a whitepaper outlining the pitfalls of such DNS filtering. Those concerns apply in the case of the DNS blocking of Twitter and YouTube in Turkey, and there are analogs for the route hijacking approach, too:

Easily circumvented
Users who wish to download filtered content can simply use IP addresses instead of DNS names. As users discover the many ways to work around DNS filtering, the effectiveness of filtering will be reduced. ISPs will be required to implement stronger controls, placing them in the middle of an unwelcome battle between Internet users and national governments.

Doesn’t solve the problem
Filtering DNS or blocking the name does not remove the illegal content. A different domain name pointing to the same Internet address could be established within minutes.

Incompatible with DNSSEC and impedes DNSSEC deployment
DNSSEC is a new technology designed to add confidence and trust to the Internet. DNSSEC ensures that DNS data are not modified by anyone between the data owner and the consumer. To DNSSEC, DNS filtering looks the same as a hacker trying to impersonate a legitimate web site to steal personal information—exactly the problem that DNSSEC is trying to solve.
DNSSEC cannot differentiate legally sanctioned filtering from cybercrime.

Causes collateral damage
When both legal and illegal content share the same domain name, DNS filtering blocks access to everything. For example, blocking access to a single Wikipedia article using DNS filtering would also block millions of other Wikipedia articles.

Puts users at-risk
When local DNS service is not considered reliable and open, Internet users may use alternative and non-standard approaches, such as downloading software that redirects their traffic to avoid filters. These makeshift solutions subject users to additional security risks.

Encourages fragmentation
A coherent and consistent structure is important to the successful operation of the Internet. DNS filtering eliminates this consistency and fragments the DNS, which undermines the structure of the Internet.

Drives service underground
If DNS filtering becomes widespread, “underground” DNS services and alternative domain namespaces will be established, further fragmenting the Internet, and taking the content out of easy view of law enforcement.

Raises human rights and due process concerns
DNS filtering is a broad measure, unable to distinguish illegal and legitimate content on the same domain. Implemented carelessly or improperly, it has the potential to restrict free and open communications and could be used in ways that limit the rights of individuals or minority groups.

The kicker is that this sort of approach to blocking use of (parts of) the Internet just doesn’t work. There are always workarounds, although they are becoming increasingly tortuous (dare I say “byzantine”?) and impede the future growth of the Internet’s technology. If Internet technology is like building blocks, this is like sawing the corners off your whole set of blocks and then trying to build a model with them.

All that this escalation of Internet hostility achieves is: a broken Internet.

In 2010, the Internet Society published a paper based on a thought exercise about what would become of the Internet if different forces prevailed in the Internet’s evolution. We’re seeing escalations on all vectors of the quadrants we outlined in the 2010 scenarios and while we believed it was a thought-experiment at the time, it’s amazing to see how much of the then-barely-imaginable is becoming real in one way or another. Collectively, we should take heed of the outcomes that those scenarios paint — and work together to get beyond this.

In the immediate term, there are technologies available to provide better security of (and, therefore, confidence in) DNS and routing infrastructures — see our related post on the Deploy360 site: Turkish Hijacking of DNS Providers Shows Clear Need For Deploying BGP And DNS Security.

Categories
Growing the Internet Human Rights

The Internet Society on Turkey’s Internet Traffic

This Statement was made March 31, 2014

We are deeply concerned with recent reports that the Turkish government is mandating curtailed access to key social media sites for millions of users across Turkey. Recent actions to implement the Turkish government’s requirement include the redirection of network routes so that Turkish citizens are not getting the correct information from the Domain Name System (DNS). They are instead being redirected to other web sites controlled by Turkish service providers. In addition to undermining core technical functions of the Internet’s architecture, such actions also threaten users’ fundamental human right to seek, receive, and impart information and ideas across frontiers.

Interfering with a country’s routing of Internet traffic not only harms citizens’ ability to communicate and innovate as part of the global Internet platform; it can also lead to a fragmentation of the network at the regional and global levels. Ultimately, the Turkish people and nation are the ones that will suffer, as their voices will be lost across the net.

The Internet Society believes that the Internet is a global medium that fuels economic and social development, empowers users with limitless access to knowledge, and supports aspirations for freedom. Bob Hinden, Chair of the Internet Society Board of Trustees, added, “We strongly urge the Turkish Government to stop requiring the blocking of access to social media sites and to allow full Internet access to all Turkish citizens immediately. We believe that the opportunity to participate in the global information society should never be taken away from individuals.”

The Internet Society hopes that nations around the world will come to understand that blocking citizens’ access to the tools of online communication only serves to fuel discord and is not the way to address the underlying concerns of their citizens. Such measures can only undermine citizens’ trust in their government’s ability to provide an enabling Internet environment for economic and social progress.