INTERNET : Root Server DDoS Attack & How MANRS Can Help
The
Internet’s root servers sustained a Distributed Denial of Service
(DDoS) attack last week that is gathering quite a bit of media
attention. We once again call on all network operators to consider
implementing the actions outlined in the Mutually Agreed Norms for Routing Security (MANRS) document and signing on as supporters of the MANRS initiative.
Specifically, in this case we encourage Action #2: Prevent traffic with spoofed source IP addresses.
"Network operator implements a system that enables source address
validation for at least single-homed stub customer networks, their own
end-users, and infrastructure. Network operator implements anti-spoofing
filtering to prevent packets with an incorrect source IP address from
entering and leaving the network."
From the Root Server incident report:
“On November 30, 2015 and December 1, 2015, over two separate
intervals, several of the Internet Domain Name System's root name
servers received a high rate of queries.” The report concludes with,
“Source Address Validation and BCP-38 should be used wherever possible
to reduce the ability to abuse networks to transmit spoofed source
packets.”
While Source Address Validation and BCP-38 are certainly important,
we believe a culture of collective responsibility is vital to
maintaining the security of the Internet’s routing infrastructure. By signing onto MANRS and implementing all four Actions called for in the document, we can make progress!