ISPs mind their MANRS to block DDoS attacks

The Internet Society's MANRS initiative improves Internet security by asking ISPs to clean up their routing rules and check network traffic

The internet permeates our entire lives, for work, play, and everything in between, but it relies on a fragile network of trust spanning the globe. While it may feel like we're just one major attack away from a crippled internet, initiatives like the Internet Society's MANRS (Mutually Agreed Norms for Routing Security) offer some hope for a more secure Internet.

The goal is to "restore trust in the Internet," said Andrei Robachevsky, the Internet Society's technology program manager, noting that it's easy for DDoS (distributed denial of service) attacks to exploit the routing infrastructure. Incorrectly routing network traffic, either accidentally or deliberately, can also cause havoc by making sites and services unavailable.

Routing ensures network traffic takes the most direct path between the originating device and the intended destination. There is no reason why a Canadian Facebook user should have his or her data pass through China before hitting Facebook's servers. Or why ISPs in Pakistan blocking YouTube caused the rest of the world to lose access to the video-sharing service.

Under MANRS, member network operators -- primarily ISPs -- agree to implement security controls, such as defining a clear routing policy, enabling source address validation, and deploying anti-spoofing filters, to limit these kinds of abuses.

Members certify they have implemented security controls in at least one of the four areas: filtering, anti-spoofing, coordination, and global validation. Most operators who have joined the voluntary program -- the initiative now counts 42 members across 21 countries -- have addressed at least three of those areas, according to the Internet Society.

As DDoS attacks get bigger, so does the concern about the kind of damage these attacks can cause. Encouraging network operators to implement anti-spoofing filters, which prevent attackers from hiding the originating IP address, could dramatically diminish the prevalence and impact of DDoS attacks.

For example, French service provider OVH was recently hit by the largest DDoS attack to date -- peaking at more than 1Tbps (terabit per second) of traffic. The recent attack against security blog Krebs on Security peaked at 620Gbps (gigabits per second) and was disruptive enough that networking company Akamai had to take the blog off its network to protect other customers. Attackers are getting better at throwing larger volumes of junk traffic at their targets, and they rely on address spoofing to hide the originating IP address so that network defenders can't trace where the attack traffic is coming from. If the operators can filter out spoofed traffic within their networks, that's junk traffic not reaching the traffic.

Blocking spoofed traffic doesn't end the risk of DDoS, but it makes using the devices on the protected network more expensive, Robachevsky said. The MANRS member is promising to protect the rest of the internet from bad things originating within its network by blocking all packets that give the wrong source IP address.

Other controls, such as filtering and validating routing information, also help improve Internet security and resilience. By defining clear routing policies and creating filters, ISPs can prevent the propagation of incorrect routing information. This way, mistyped routing rules won't result in networks accidentally hijacking traffic intended for other networks, and up-to-date filters prevent malicious attempts to divert traffic. By making it clear who owns which routes, operators can more easily communicate with each other when something goes wrong and validate routing information to ensure they are correct.

It's akin to "clean your own side of the street," as network operators commit to filter their own route advertisements to catch mistakes. Operators know their networks and know what their customers are doing. If each operator makes sure they're handling routing announcements and traffic packets correctly, that all adds up across a broader area.

MANRS is more than just a list of members and a collection of published routing information. It's also a framework. The Best Current Operational Practices document, which outlines the steps network operators need to take to become MANRS-compliant, is currently being drafted and will be available for review at the end of October, Robachevsky said. Training modules and self-assessment guides also provide network operators with best practices recommendations to add resiliency and security to their routing infrastructure.  

MANRS is still in early stages, and there are still areas for improvement. Right now, verifying networks during the initial application process relies heavily on the ISP performing a self-assessment and reporting which controls it has implemented. The Internet Society is currently reviewing tools like BGPStream and Spoofer to help automate the assessment and verification process.

There's currently no mechanism to ensure member operators are continuing with the security controls beyond the initial sign-up process. Right now, it's up to each individual operator to stay on top of configuration changes in their network to make sure the security controls are still effective. This will have to change, especially as the membership grows, but the current priority is to make it easier to test and verify new members. At the moment, MANRS relies on the honor system, Robachevsky said.

While it's encouraging that more network operators are signing up for MANRS, Robachevsky acknowledged the initiative still has a long way to go before it can be considered successful. Considering there are roughly 50,000 autonomous systems networks worldwide, the fact that there are 42 members is trifling. There's a tipping point, and MANRS isn't there yet.

However, Robachevksy emphasized having pockets of "clean" Internet can make a difference. Comcast, one of the world's largest broadband operators, is a member, and claims 33 ASNs have met MANRS requirements across all four areas. Robachevksy's hope is to gain enough members to the point where organizations would start evaluating upstream providers based on whether their networks are MANRS compliant.

Many of the commitments MANRS is asking for sounds like common-sense security, but hasn't been implemented because the ISPs may not have seen the cost benefits of taking those steps. Yes, there are costs associated with becoming MANRS compliant, but network operators benefit by making it easier to troubleshoot configuration issues, protect against misconfigurations caused by "fat-fingering" routing rules, and increase opportunities for collaboration with other ISPs. Eventually, not doing these things may also wind up costing the ISP, both financially and in security.

Join the CSO newsletter!

Error: Please check your email address.

More about FacebookLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place