Assessing the security of Internet paths: A case study of Dutch critical infrastructures

Many critical infrastructures (CIs) rely on cloud services (e.g., email) for their daily operations. However, these CIs typically have limited insight into the security status of the paths that their traffic might follow across the Internet to reach their cloud provider’s infrastructures. For example, a CI might not know that their traffic passes through Autonomous Systems (ASes) that do not implement Route Origin Validation (ROV). As a result, the CI is vulnerable to prefix hijacks, which can render the cloud operator unavailable to the CI or breach the confidentiality and integrity of the CI’s data. To provide such insights, we develop a generic method that finds plausible paths from one AS to another and identifies to what extent the ASes on the path support ROV. We use our method for a case study to find secure paths from four CIs in the Netherlands to Microsoft mail, which many CIs use. We use Border Gateway Protocol (BGP) routing data from four route collectors in the Netherlands in combination with the ROV scores of the ASes. Our analysis shows the existence of multiple fully ROV-protected paths from the four CIs to Microsoft among a larger set of partially ROV-protected paths. Our case study also shows that implementing ROV fully by the immediate upstream providers of CIs would result in an increase in the number of fully ROV-protected paths by 72.5% on average.