ISPs mind their MANRS to block DDoS attacks

The Internet Society's MANRS initiative improves Internet security by asking ISPs to clean up their routing rules and check network traffic

The internet permeates our entire lives, for work, play, and everything in between, but it relies on a fragile network of trust spanning the globe. While it may feel like we're just one major attack away from a crippled internet, initiatives like the Internet Society's MANRS (Mutually Agreed Norms for Routing Security) offer some hope for a more secure Internet.

The goal is to "restore trust in the Internet," said Andrei Robachevsky, the Internet Society's technology program manager, noting that it's easy for DDoS (distributed denial of service) attacks to exploit the routing infrastructure. Incorrectly routing network traffic, either accidentally or deliberately, can also cause havoc by making sites and services unavailable.

Routing ensures network traffic takes the most direct path between the originating device and the intended destination. There is no reason why a Canadian Facebook user should have his or her data pass through China before hitting Facebook's servers. Or why ISPs in Pakistan blocking YouTube caused the rest of the world to lose access to the video-sharing service.

Under MANRS, member network operators -- primarily ISPs -- agree to implement security controls, such as defining a clear routing policy, enabling source address validation, and deploying anti-spoofing filters, to limit these kinds of abuses.

Members certify they have implemented security controls in at least one of the four areas: filtering, anti-spoofing, coordination, and global validation. Most operators who have joined the voluntary program -- the initiative now counts 42 members across 21 countries -- have addressed at least three of those areas, according to the Internet Society.

As DDoS attacks get bigger, so does the concern about the kind of damage these attacks can cause. Encouraging network operators to implement anti-spoofing filters, which prevent attackers from hiding the originating IP address, could dramatically diminish the prevalence and impact of DDoS attacks.

For example, French service provider OVH was recently hit by the largest DDoS attack to date -- peaking at more than 1Tbps (terabit per second) of traffic. The recent attack against security blog Krebs on Security peaked at 620Gbps (gigabits per second) and was disruptive enough that networking company Akamai had to take the blog off its network to protect other customers. Attackers are getting better at throwing larger volumes of junk traffic at their targets, and they rely on address spoofing to hide the originating IP address so that network defenders can't trace where the attack traffic is coming from. If the operators can filter out spoofed traffic within their networks, that's junk traffic not reaching the traffic.

Blocking spoofed traffic doesn't end the risk of DDoS, but it makes using the devices on the protected network more expensive, Robachevsky said. The MANRS member is promising to protect the rest of the internet from bad things originating within its network by blocking all packets that give the wrong source IP address.

Other controls, such as filtering and validating routing information, also help improve Internet security and resilience. By defining clear routing policies and creating filters, ISPs can prevent the propagation of incorrect routing information. This way, mistyped routing rules won't result in networks accidentally hijacking traffic intended for other networks, and up-to-date filters prevent malicious attempts to divert traffic. By making it clear who owns which routes, operators can more easily communicate with each other when something goes wrong and validate routing information to ensure they are correct.

It's akin to "clean your own side of the street," as network operators commit to filter their own route advertisements to catch mistakes. Operators know their networks and know what their customers are doing. If each operator makes sure they're handling routing announcements and traffic packets correctly, that all adds up across a broader area.

MANRS is more than just a list of members and a collection of published routing information. It's also a framework. The Best Current Operational Practices document, which outlines the steps network operators need to take to become MANRS-compliant, is currently being drafted and will be available for review at the end of October, Robachevsky said. Training modules and self-assessment guides also provide network operators with best practices recommendations to add resiliency and security to their routing infrastructure.  

MANRS is still in early stages, and there are still areas for improvement. Right now, verifying networks during the initial application process relies heavily on the ISP performing a self-assessment and reporting which controls it has implemented. The Internet Society is currently reviewing tools like BGPStream and Spoofer to help automate the assessment and verification process.

There's currently no mechanism to ensure member operators are continuing with the security controls beyond the initial sign-up process. Right now, it's up to each individual operator to stay on top of configuration changes in their network to make sure the security controls are still effective. This will have to change, especially as the membership grows, but the current priority is to make it easier to test and verify new members. At the moment, MANRS relies on the honor system, Robachevsky said.

While it's encouraging that more network operators are signing up for MANRS, Robachevsky acknowledged the initiative still has a long way to go before it can be considered successful. Considering there are roughly 50,000 autonomous systems networks worldwide, the fact that there are 42 members is trifling. There's a tipping point, and MANRS isn't there yet.

However, Robachevksy emphasized having pockets of "clean" Internet can make a difference. Comcast, one of the world's largest broadband operators, is a member, and claims 33 ASNs have met MANRS requirements across all four areas. Robachevksy's hope is to gain enough members to the point where organizations would start evaluating upstream providers based on whether their networks are MANRS compliant.

Many of the commitments MANRS is asking for sounds like common-sense security, but hasn't been implemented because the ISPs may not have seen the cost benefits of taking those steps. Yes, there are costs associated with becoming MANRS compliant, but network operators benefit by making it easier to troubleshoot configuration issues, protect against misconfigurations caused by "fat-fingering" routing rules, and increase opportunities for collaboration with other ISPs. Eventually, not doing these things may also wind up costing the ISP, both financially and in security.

Join the TechWorld newsletter!

Error: Please check your email address.

More about FacebookLinux

Show Comments
[]