Maintaining the resilience and stability of the global Internet requires collaborative efforts between Internet Service Providers (ISPs), government agencies, enterprises, security vendors and end users. Towards that end, The Internet Society recently published a report titled, The Internet Society 2018 Action Plan, in which it proposes several initiatives, one of which is to strengthen the global Internet routing system. In tandem with its Action Plan, The Internet Society also supports a best practice initiative that was created by members of the network operator community: the Mutually Agreed Norms for Routing Security (MANRS) initiative (formerly known as the Routing Resilience Manifesto).
The MANRS initiative is a commitment by network operators around the globe to “clean their part of the street” and improve the security of the global routing system. Some ISPs already have agreed (see list here) to adopt the MANRS practices. They are implementing at least the baseline security efforts defined by MANRS Actions:
- Filtering – Ensure the correctness of your own announcements and of announcements from your customers to adjacent networks with prefix and AS-path granularity
- Anti-spoofing – Enable source address validation for at least single-homed stub customer networks, your own end-users, and infrastructure
- Coordination – Maintain globally accessible up-to-date contact information
- Global Validation – Publish your data, so others can validate routing information on a global scale
The Internet Society provides support in the form of hosting the MANRS web site, providing email lists and the participation of Internet Society staff. “During 2018, we expect to increase the rate at which networks join MANRS, and to make significant progress towards achieving a critical mass of participating network operators and Internet Exchange Points (IXPs). Through outreach to organizations, enterprises, and industry groups, we aim to reach a tipping point where operators see MANRS compliance as a strategic business advantage.”
MANRS is on a very similar mission to what we have seen the National Cyber Security Center promote in the United Kingdom, to help make the UK Internet safer. The part that specifically relates to helping reduce distributed denial of service (DDoS) attacks is the source address anti-spoofing guidance, which relates to reducing the ability for attackers to leverage open reflectors (Domain Name Server, Network Time Protocol, etc.) on the Internet to send amplified DDoS attack streams to their targets. We have already seen a drop in the use of some reflection techniques, such as notably fewer NTP Amplification DDoS attacks, but much of that may also be attributed to that fact that several vulnerabilities in NTP were patched in mid-2016.
Most of the MANRS guidance is a set of best practices for service providers. The recommendations are good, but they fall into the same category as “IoT devices should have good password security.” That is, the MANRS guidance is desirable for any individual provider, but it’s unrealistic to think it will solve the global spoofing problem – many IoT botnets can attack without spoofing, for example. There has been decades of sensible progress to help make the Internet more secure, but there is no end in sight for DDoS, because the bad guys continue to innovate ahead of the curve (for example, by taking control of IoT devices to form zombie botnet armies). It is not as if this is the first time that anti-spoofing best practices have been recommended. The most well-known anti-spoofing guidance is BCP 38, which has been around for almost two decades. Despite BCP 38, DDoS attacks not only still exist, but have grown in scale and frequency!
It is certainly a good step in the right direction for ISPs, to reduce the possibilities of abuse of critical Internet services like DNS and NTP, but organizations that rely on the Internet for business shouldn’t think that this will be the end of DDoS attacks. We have already seen the massive rise of botnet sourced DDoS attacks—mainly comprised of IoT devices—and these MANRS activities will do little to reduce or stop those types of attacks. Real-time automated DDoS protection remains the only solution to these problems.
For more information, contact us.