The National Institute of Standards and Technology issued the draft document detailing its latest guidelines on how federal agencies could secure better networks against large-scale Distributed Denial of Service attacks. The NIST said in a notice that routing control plane anomalies such as Border Gateway Protocol, prefix hijacking and route leaks have been disrupting services and causing damage across the government in recent years.
The document aims to guide information security officers and managers, services providers, enterprise and transit network operators and equipment vendors working with the government in securing federal networks.
The NIST provided a list of technologies that could help agencies enhance security and robustness of interdomain traffic exchange, including:
- Resource Public Key Infrastructure
- BGP origin validation
- Prefix filtering
- Access Control Lists
- Unicast Reverse Path Forwarding
- Remotely Triggered Black Hole filtering
- Flow Specification
- Response Rate Limiting
These technologies were designed to secure interdomain routing control traffic, prevent IP address spoofing, detect and mitigate DoS or DDoS and share routing control messages.
“It is expected that the guidance and applicable recommendations from this publication will be incorporated in the security plans and operational processes of federal enterprise networks,” the NIST said.
The agency also hopes other agencies will apply the recommendations in contracts for hosted application and Internet transit services. The NIST is accepting public comments on the draft document through Feb. 15, 2019.