The Internet’s root servers sustained a Distributed Denial of Service (DDoS) attack last week that is gathering quite a bit of media attention. We once again call on all network operators to consider implementing the actions outlined in the Mutually Agreed Norms for Routing Security (MANRS) document and signing on as supporters of the MANRS initiative.
Specifically, in this case we encourage Action #2: Prevent traffic with spoofed source IP addresses.
“Network operator implements a system that enables source address validation for at least single-homed stub customer networks, their own end-users, and infrastructure. Network operator implements anti-spoofing filtering to prevent packets with an incorrect source IP address from entering and leaving the network.”
From the Root Server incident report: “On November 30, 2015 and December 1, 2015, over two separate intervals, several of the Internet Domain Name System’s root name servers received a high rate of queries.” The report concludes with, “Source Address Validation and BCP-38 should be used wherever possible to reduce the ability to abuse networks to transmit spoofed source packets.”
While Source Address Validation and BCP-38 are certainly important, we believe a culture of collective responsibility is vital to maintaining the security of the Internet’s routing infrastructure. By signing onto MANRS and implementing all four Actions called for in the document, we can make progress!
[This post first appeared on the Routing Resilience Manifesto blog at https://www.routingmanifesto.org/2015/12/root-server-ddos-attack-how-manrs-can-help/.]
[Photo Credit: iStock]