Routing security in Singapore

By on 4 Oct 2022

Category: Tech matters

Tags: , , , , ,

Blog home

Helix Bridge in Singapore by Robynne Hu at Unsplash.

When we at the Internet Society published the ccTLD study in 2021 to measure how much content is hosted inside or outside economies based on measures such as latency and hop-count, it was evident that Singapore is popular for hosting content of all varieties, especially within the Asia Pacific region. As noted in the study, 68% of Singapore’s ccTLD, .sg, was hosted inside the economy. Malaysia also appeared in the data as a popular location abroad for hosting ccTLD content.

In this post, I will be examining the routing security of operators in Singapore (according to APNIC registration data) and how .sg ccTLD domains are performing from a Resource Public Key Infrastructure (RPKI) point of view. This routing security post is based on the MANRS Observatory, which collects data from multiple sources. While we try our level best to filter any false positives, it’s not possible to entirely avoid them.

Diagram of MANRS Observatory system/
Figure 1 — The MANRS Observatory system.

There are more than 1,000 networks in Singapore and according to APNIC delegation records, APNIC provides some good visual statistics of the per economy resource delegations through its REx tool.

Figure 2 — Singapore’s Autonomous System Number (ASN) delegation since 1994.
Figure 2 — Singapore’s Autonomous System Number (ASN) delegation since 1994.

The public view of the MANRS Observatory allows you to select an economy and view not only the current status of the operators in the economy but also the historical overview of the last 12 months. You can also see how the economy is performing compared to its neighbours or other economies.

Looking at Singapore, it shows that in the month of August 2022 there were at least two incidents related to route leaks and seven incidents of bogon announcements. A bogon is an Internet number resource (Autonomous System Number (ASN), IPv4/IPv6 address) that should not be announced on the global routing table because either it is not allocated by the Internet Assigned Numbers Authority (IANA) and Regional Internet Registries (RIRs), or it is from the reserved blocks. All these incidents were caused by seven networks.

Figure 3 — Routing security in Singapore during August 2022, from the MANRS Observatory.
Figure 3 — Routing security in Singapore during August 2022, from the MANRS Observatory.

The most encouraging part is visible in the historical statistics, shown in Figure 4. While we can see incidents in almost every month of the last 12 months, fewer than 1% of networks have caused problems, and most of the incidents were related to bogon announcements. 

Figure 4 — Routing security in Singapore August 2021 - August 2022, from the MANRS Observatory.
Figure 4 — Routing security in Singapore August 2021 – August 2022, from the MANRS Observatory.

While the number of networks responsible for these incidents is low, we can’t say with certainty that most of the networks are implementing the baseline routing security required to avoid incidents.

Figure 5 — Routing completeness for Internet Routing Registry (IRR) and RPKI in Singapore August 2021 – August 2022, from the MANRS Observatory.
Figure 5 — Routing completeness for Internet Routing Registry (IRR) and RPKI in Singapore August 2021 – August 2022, from the MANRS Observatory.

A Route Origin Authorization (ROA) is a cryptographically signed object that states an AS is authorized to originate a particular IP address prefix or set of prefixes. Singapore’s ROA adoption is almost 55%, which makes it higher than the global average of around 40%. However, the concerning part is the number of invalid ROAs, which is at 2.6% compared to the global average of 0.5%.

To see how government websites (ending in .gov.sg) are performing from the RPKI perspective, we looked at a sample and found most are hosted at Google or Amazon, which are both active at ROA signing, as shown in Figure 5.

Figure 6 — Sample of Singaporean government website (ending in .gov.sg) hosts.
Figure 6 — Sample of Singaporean government website (ending in .gov.sg) hosts.

Out of that sample, we found most of the websites had valid ROAs of their IP host, but a substantial amount of ‘not found’.

Figure 7 — Singaporean government website (ending in .gov.sg) hosts, not found and valid.
Figure 7 — Singaporean government website (ending in .gov.sg) hosts, not found and valid.

When we expand the data of ‘not found’ IP hosts to check which network these resources belong to, it’s a very different picture. There are many networks in the list as shown below — interestingly the top two are Akamai and Incapsula.

Figure 8 — Akamai and Incapsula lead the not founds.
Figure 8 — Akamai and Incapsula lead the not founds.

Unfortunately, two government-related networks, AS135008 and AS140592, have not signed any ROAs at all for their resources (Figures 8 and 9). AS135008 announces 37 IPv4 routes and three IPv6 routes while AS140952 announces 12 IPv4 routes and six IPv6 routes.

Figure 8 — ASN report for AS135008.
Figure 9 — ASN report for AS135008. Source.
Figure 9 — ASN report for AS140592.
Figure 10 — ASN report for AS140592. Source.

In the .edu.sg sample, we found most of the websites are hosted at Amazon and Incapsula.

Figure 11 — Sample of Singaporean education website (ending in .edu.sg) hosts.
Figure 11 — Sample of Singaporean education website (ending in .edu.sg) hosts.

Once again, we found most had valid ROAs of their IP host.

Figure 12 — Singaporean education website (ending in .edu.sg) hosts, not found and valid.

Looking at the not founds, we found most of the websites were hosted at Incapsula and the National University of Singapore (NUS).

Figure 13 — NUS and Incapsula lead the not founds.

Why is this important?

Having valid ROAs prevents your IP addresses from origin hijack attempts. As ROAs are digitally signed objects, they provide a means of verifying that an IP address block holder has authorized an AS to originate routes to the global routing table. Not having ROAs makes these prefixes vulnerable to origin hijacks.

We encourage everyone to host their websites with platforms that support RPKI and create ROAs for their resources. Most importantly, governments should emphasize security best practices.

Network operators have a responsibility to ensure a globally robust and secure routing infrastructure. Your network’s safety depends on a routing infrastructure that stops bad actors and mitigates accidental misconfigurations that can wreak havoc on the Internet. The more network operators work together, the fewer incidents there will be, and the less damage bad actors and misconfigurations can do.

Learn more about the importance of routing security, and implementation, at MANRS and how to create RPKI ROAs in MyAPNIC.

Aftab Siddiqui is a MANRS Project Lead & Senior Manager, Internet Technology at the Internet Society.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

Top