Telco Transformation: enable you to deploy and offer DDoS mitigation-as-a-service at a low CapEx and a low OpEx.
Read more
Run Bastions Services on premises for a truly consistent and seamless hybrid experience
Learn more
TAP the lucrative market for DDoS Protection.
Be Our Partner
The Capture The Flag challenge: Get on the top of the scoreboard and win an Pentester Expert Coin !
Enroll now
In the first half of 2022, the total attack count and average attack size increased by 75.60% and decreased by 55.97% respectively compared to the figures recorded in the second half of 2021. Learn More
Cybersecurity best practices and DDoS defence strategies
With Border Gateway Protocol (BGP), transit network providers edit access lists in order to only announce prefixes they have manually verified someone has the authority to advertise. However, due to the lack of authentication in BGP, it has become increasingly vulnerable not only to human error such as misconfiguration and typos, but also abuse by cyber threat actors seeking to hijack routes to achieve criminal objectives.
Secure Routing with RPKI
As Internet traffic has increased exponentially in recent years, the importance of routing validation has become paramount. This has led to the advent of Resource Public Key Infrastructure (RPKI), developed jointly by Regional Internet Registries (RIRs), leading router vendors and open source software developers. RPKI is a community-driven routing innovation to help secure the Internet’s routing infrastructure in real time and at scale, by linking IP addresses and AS numbers to a trust anchor.
For RPKI to function optimally, owners of IP addresses and ASNs need to create a cryptographic statement called a Route Origin Authorization (ROA). A ROA can only be created by the legitimate owner of the prefix and states which AS number is authorized to announce a particular prefix on the Internet. This helps to validate that route announcements originate from the route they claim (Route Origin Validation), and then filters the requests (Route Filtering), through which any ‘invalid’ routes are dropped.
Secured Routing with Nexusguard RPKI Framework
To support the community’s initiative to secure BGP via RPKI, Nexusguard has added RPKI status visibility into all its products, including the Cloud Diversion feature, developed specifically to facilitate automated route diversion of under attack IP prefixes to scrubbing centres. For route verification to be effective, Nexusguard validates ROAs created by their customers, ensuring all their routes are safe to announce to the Internet. ROAs help to digitally verify where a prefix should have originated from and who the legitimate owner of it should be, preventing bad actors from intercepting Internet traffic, or from accidental routing mistakes through human error.
Figure 1 - Modified Route Template with RPKI ROA
In the case of Nexusguard Cloud Diversion, this feature is enhanced using RPKI ROA Origin AS information which automatically validates the origin AS, thereby eliminating the risk of unintended routing mistakes. Moreover, the cryptographical verification component intrinsic to RPKI prevents potential hijacks in the first hop of routing in the network.
For more information on how to enable RPKI for a safer Internet, check out the Nexusguard blog post.
The RPKI ROA feature is now available to customers using our Origin Protection service. For further information, please read about Nexusguard’s Origin Protection.
Thank You!
We will get back to you shortly.
For route verification to be effective, Nexusguard validates ROAs created by their customers, ensuring all their routes are safe to announce to the Internet.
© 2023 Nexusguard - All Rights Reserved. Read Our Privacy Policy.