Internet Exchange Points (IXs) are critical infrastructure that help different internet service providers connect and share traffic. Think of them as digital crossroads where major internet highways meet. However, recent findings reveal that these vital network hubs are experiencing serious security issues due to misconfigured equipment and unexpected devices appearing on what should be router-only networks.
 |
|---|
| A close-up view of a plant in nature, symbolizing the complexity and interconnectedness of network infrastructure |
Unexpected Devices Appearing on IX Networks
The most concerning discovery involves non-router devices accidentally connecting to IX networks. These exchanges are designed specifically for routers to share routing information using the Border Gateway Protocol (BGP). However, network administrators have found everything from desktop computers to servers appearing on these critical networks due to configuration mistakes.
When organizations connect to an IX, they sometimes accidentally bridge their internal office networks with the exchange infrastructure. This can happen when VLAN identifiers get reused or when troubleshooting equipment gets left connected to the wrong network segment. The result is that sensitive internal devices become visible to all other participants on the exchange.
VLAN (Virtual Local Area Network): A method of creating separate network segments on the same physical infrastructure
Routing Protocol Vulnerabilities
Another major security concern involves routing protocols that should never appear on IX networks. While BGP is the standard and expected protocol, researchers have discovered other routing protocols like OSPF, ISIS, and RIP running on exchange networks. These protocols can allow malicious actors to manipulate routing tables and potentially redirect internet traffic.
I remember in the 2000s a large-ish Telco network in the US was running ospf on an IX. A few of us on IRC did the what if? And one of us brought up the adjacency and it worked.
The presence of these internal routing protocols means that network operators might accidentally share their internal routing decisions with competitors or malicious actors on the same exchange.
BGP (Border Gateway Protocol): The standard protocol used by internet service providers to exchange routing information OSPF/ISIS: Internal routing protocols that should only be used within a single organization's network
Network Management Protocol Exposure
IX networks are also seeing unexpected network management traffic that reveals sensitive information about connected organizations. Protocols like LLDP (Link Layer Discovery Protocol) and Spanning Tree Protocol are appearing on exchanges, potentially exposing network topology information to unauthorized parties.
While some argue these protocols can be helpful for network troubleshooting, their presence on public IX infrastructure creates unnecessary security risks. Each additional protocol represents more potential attack surface for malicious actors to exploit.
The Complexity Problem
The root cause of many these issues appears to be the increasing complexity of modern network infrastructure. Organizations often have multiple layers of switches, routers, and other network devices between their core infrastructure and the IX connection. This complexity makes it easy for configuration mistakes to occur, especially when network changes are made manually without proper documentation.
The networking community has observed that many organizations tend to over-engineer their network architectures, creating multiple layers of NAT, complex VLAN schemes, and custom addressing plans that increase the likelihood of misconfigurations.
Conclusion
These findings highlight the need for better network hygiene and configuration management at Internet Exchange Points. While IXs are designed to be simple layer-2 networks where routers exchange BGP information, the reality is often much more complex. Organizations connecting to IXs need to implement better controls to ensure only appropriate traffic reaches the exchange infrastructure, and IX operators should consider more aggressive filtering to prevent problematic protocols and devices from affecting other participants.
The security of internet infrastructure depends on all participants following best practices and maintaining proper network boundaries. As these exchanges handle increasing amounts of global internet traffic, addressing these configuration issues becomes critical for maintaining internet stability and security.
Reference: Even Interesting Stuff I Found on IX LANs