NIST Draft Document to Mitigate BGP and DDoS Attacks

NIST released a draft document (Draft NIST SP 800-189) with regards to securing interdomain traffic exchange. It is designed to help fix problems associated with BGP-hijacking and DDoS attacks among others. The guidance is geared for those who protect federal networks and relies on several identified technologies, including RPKI, BGP-OV, and prefix-filtering. Other technologies that further stymie DDoS attacks include source address validation with ACLs and uRPF. A comment period is scheduled until February 15, 2019.

Here are some highlighted excerpts from the draft document's table of contents:

1. Introduction
2. Control Plan / BGP Vulnerabilities
3. IP Address Spoofing and Reflection-Amplification Attacks
4. Control Plane / BGP Security — Solutions and Recommendations
5. Securing Against DDoS & Reflection-Amplification — Solutions and Recommendations

Appendix A — Consolidated List of the Security Recommendations
Appendix B — Acronyms
Appendix C — References

More from NIST regarding Draft NIST Special Publication 800-189: Secure Interdomain Traffic Exchange: BGP Robustness and DDoS Mitigation:

CSRC Update:
https://csrc.nist.gov/news/2018/nist-releases-draft-sp-800-189-for-comment

Publication Details:
https://csrc.nist.gov/publications/detail/sp/800-189/draft