Internet Society wants to fill in the Great Routing Black Hole

Operators to show their MANRS, aka Mutually Agreed Norms for Routing Security

For all its robustness, the Internet is built on remarkably fragile systems.

A great example is the worldwide routing infrastructure, which can be fat-thumbed into confusion or exploited by malefactors.

The Internet Society – ISOC – has been working on this since November 2014 under an initiative called MANRS – Mutually Agreed Norms for Routing Security – and spoke to The Register last week about the initiative.

Two particular targets of MANRS are accidental or deliberate black-holing of traffic; and exploitation of routing infrastructure in Distributed Denial-of-Service (DDoS) attacks by spoofed route information.

The initiative now has 42 members, with ISOC announcing Scandinavia's SUNET and NORDUnet as the latest network operators to sign on – but since there are roughly 50,000 networks (autonomous systems, ASs, in Internet nomenclature), it needs a lot more reach.

Vulture South talked to ISOC technology program manager Andrei Robachevsky about what MANRS is, and why ISOC wants it to be ubiquitous.

“One of the strategic objectives is restoring trust in the Internet," Robachevsky said, and since it's so easy to “cause havoc” in the routing infrastructure, that's what the operators who asked ISOC to coordinate MANRS are working on.

MANRS, he explained, defines minimum baselines by calling on specific actions to protect route announcements, DDoS vulnerabilities, response coordination, and network information publication.


For those who don't know why Pakistan could send YouTube dark around the world, it's because for a packet to reach its destination, every router in the world needs to know where it should send that packet.

That information comes from “route advertisements”: the owner of a network (AS 1234 for example) says “if you want to send packets to AS 3456, send them to me”. If a network advertises itself as the go-to for a network it can't reach, the traffic is lost.

It's more complex than that, of course, because small networks advertise their routes to large networks, who might have a yet-larger network upstream announcing its routes, and so on.

However, the action that MANRS asks for isn't so complex: networks joining the initiative commit to filtering their route advertisements to catch mistakes.

Robachevsky says it's a “clean your own side of the street” commitment: networks make sure the announcements they and their customers make are correct.

“It's something you are in a position to do: you know your customers, and you know your networks.”

So why doesn't that happen already? Partly it expresses an old security conundrum, that it's seen as a cost without commensurate benefit, but there's more than that.

Making sure you only make announcements about networks you know means checking information not via BGP (the Border Gateway Protocol that communicates route announcements), but an out-of-band channel.

In other words, put a business process in place, so that when the small network sends a routing table to an upstream network, it gets checked – and the prefixes go into a filtering database that catches mistakes in announcements before they lay claim to a whole country's traffic.

There is a financial benefit here, even if it's hard to quantify: if you're a small network laying accidental claim to Comcast or Level 3, then after you've hosed yourself, you're going to have a serious case of buyer's remorse.

DDoS protection

Address spoofing is a big part of volumetric denial-of-service attacks, because it makes it harder to trace and block the networks originating the attacks (that is, the attack packets say they come from Vanuatu instead of somewhere large, like China or Comcast).

Blocking spoofed traffic doesn't end the risk of DDoS, Robachevsky said, but it makes a protected network more expensive to the attacker – “it creates a difference between the cost of launching an attack, and the devastation it causes,” he noted.

Like route announcement filtering, this is protecting against outward risks: you're agreeing to protect the rest of the Internet against bad things that might start on your network. The participant in MANRS agrees to check packets leaving its network, and block traffic that give the wrong source IP address.


This, at least is simple: everybody agrees that other networks can find their NOC contact information – and that someone's there to answer the phones if there's an incident.


Networks agree to publish enough information about their networks so other operators can catch mistakes.

Robachevsky: “One of the big problems here is lack of data, and lack of confidence in this data, of the announcements networks are emitting.

“On the global scale, you don't know if this announcement is correct. So operators agree to publish some information about their networks, so that someone in the other 50,000 networks can say 'this announcement is not correct – this prefix belongs to YouTube, not Pakistan Telecom'.”

If MANRS manages to get traction, Robachevsky said, there's a hope that it'll form a strong social aspect.

Take, for example, an Internet exchange point – where sysadmins for different networks “have eye contact – they know each other.

“If you're in an IXP where 80 per cent of the networks are MANRS members, there will be pressure on the other 20 per cent to behave well.”

The same, he hopes, can apply to peering: that networks will be more likely to setup high-bandwidth peering with MANRS members.

ISOC wants it to help drew the line between good and bad, Robachevsky added: “if you don't have a norm, then peer pressure doesn't really exist”.

As well as announcing the latest MANRS members, ISOC has convened a group to put together a Best Current Operational Practices document, which is going to be put to RIPE 73 (Madrid, 24-28 October 2016) for review. ®

Similar topics

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021