16 November 2021

Three ways to protect your network from vulnerabilities


Networks and enterprises have increasing interest in security services for their connectivity needs to ensure low risk levels for their operations. Regardless of the kind of network, all have a basic need for routing security. There are a range of services and measures you can take to shield your network against willful and accidental damage.

Here are three ways to protect your network from vulnerabilities.

1. Use Blackholing Advanced against DDoS attacks

If you are connected to an Internet Exchange (IX), probably the best-known attack type that can be mitigated at an IX is the Distributed Denial of Service (DDoS) attack. The goal of a DDoS attack is to disrupt normal traffic of a targeted destination by overwhelming the target with a flood of traffic. For example, if you have an online shop hosted on a web server, a DDoS attack on the server will mean that your web shop is no longer accessible to your customers – and they will probably go and shop elsewhere.

You can mitigate the effects of DDoS attacks with Blackholing. It protects your network by stopping the malicious traffic while under an attack. The good thing with basic Blackholing is that there is no collateral damage for the networks in the firing line. But the disadvantage is that the target destination is still unable to communicate, meaning that, through the mitigation measure, the attacker has ultimately achieved the original objective.

Enter Blackholing Advanced. With this service, you can go a step further and not only limit the data being sent, but you can limit it to certain protocols and block specific source and destination ports. So, you can just block a specific port, and all the other ports are still accessible, meaning that the network can still communicate.

2. Mitigate IP hijacking

Another risk to networks is routing insecurity through IP hijacking, either accidental or deliberate. As an example, a malicious actor wants to wiretap the traffic that goes to an IP destination somewhere on the Internet – maybe to the above-mentioned online shop, in order to steal the credit card details of the shop’s customers. They can start announcing the IP space of the shop, and if done right, can receive all the requests which go to the online shop. They can either drop the traffic so that the orders from customers do not go through, or can pass it on to the web shop having collected the information they wanted.

Technologies like RPKI Origin Validation and IRR (Internet Routing Registries) filtering can be used to mitigate this problem. The function of RPKI is origin validation because it makes sure that it is not so easy to accidently announce the wrong IP space through a typing mistake or similar. It lets you check whether you are allowed to announce this IP space, and if not, the announcement can be filtered out easily.

IRR filtering, on the other hand, is used to prevent the propagation of incorrect routing information. This filtering has already been available in the Internet infrastructure for years, whereas RPKI Origin Validation has only become available recently.

3. Keep an eye on your ASN

Another security issue is Autonomous System Number (ASN) hijacking. By hijacking your ASN, a malicious actor can pretend to be you and use your ASN for sending unwanted stuff like spam and can even carry out DDoS attacks.

Every network that wants to be part of the Internet needs an ASN. We have seen ASN hijacking in particular with companies that have registered an ASN but are currently not announcing it to the Internet. This makes it very difficult to ascertain who is behind the number – and it makes it look like the legitimate owner is behaving badly, which can result in them being blocklisted, or far worse, affect their reputation.

Therefore, we really encourage companies to keep an eye on their AS number even if you are not currently using it.

Keen to learn more?

To find out how enterprises can safeguard their data and digital resources, read our article by Dr. Thomas King, CTO of DE-CIX, with more details on the methods listed above.