Deploy360 24 July 2014

Anti-Spoofing, BCP 38, and the Tragedy of the Commons

Andrew Mcconachie
By Andrew McconachieFormer Intern

Anti-SpoofingIn the seminal 1968 paper “The Tragedy of the Commons” , Garrett Hardin introduced the world to an idea which eventually grew into a household phrase. In this blog article I will explore whether Hardin’s tragedy applies to anti-spoofing and Distributed Denial of Service (DDoS) attacks in the Internet, or not.

The Tragedy of the Commons
Hardin was a biologist and ecologist by trade, so he explains “The Tragedy of the Commons” using a field, cattle and herdsmen. To paraphrase by example, imagine a field being used by a group of herdsmen to graze their cattle.

The field is already at its carrying capacity, so if any new cattle are added each cow receives less to eat. The tragedy of the commons strikes when one herdsman adds another cow to the field. This herdsman receives the benefit of an increased cow he can bring to market. All of his cows might be a little skinnier since every cow now has less to eat, but his extra cow more than offsets this loss. Not so for the other herdsmen, all of their cows now receive less food, and they have no extra cow to make up for this loss.

This is the tragedy of the commons in simple terms. An action by one actor results in a substantial gain for that actor and a small loss for everyone else. Now let’s think about DDOS attacks, our new anti-spoofing initiative, and the many attempts to get network operators to install filters which prevent IP address source spoofing.

Imagine if almost every network operator installed filters to prevent IP address spoofing ala BCP 38. A network operator who has not yet installed filters has a decision to make not unlike the decision Hardin’s herdsman made. It costs money to install filters, albeit a very small amount, but it is not free. Nor is the labour capable of installing those filters cheap. Therefore it makes economic sense for this network operator to not install filters. No one is DDOSing their network, that’s someone else’s problem. This network operator can save money by not installing filters, and realize none of the loss associated with DDOS attacks.

No Tragedy Here
I have heard this argument made before as a reason why anti-spoofing initiatives have trouble gaining traction. However, this argument starts to break down when we investigate the real costs of DDOS attacks, the real costs associated of installing filters to stop spoofing, and basic network management principles.

Bandwidth is not free. Operators whose network is being used to generate DDOS attacks are paying someone for those packets to egress their network. And unless their customer base consists of people who buy service from them strictly so they can generate DDOS attacks, not a good business plan IMHO, they receive no utility from these DDOS packets egressing their network.

The cost of installing filters to mitigate IP address source spoofing is minimal and continues to decrease. There may have been an argument ten years ago that buying equipment to support mass filtering by IP source address was cost prohibitive. If that argument was once viable, it certainly no longer is. Any carrier grade BGP router can support many more Access Control Lists(ACLs) than are actually needed to support implementation of BCP 38.

What network operator wants malicious traffic on their network? I’ve talked with hundreds of network operators from around the world in virtually every industry. Never have I met a network operator who wants more malicious traffic on their network, even if they are simply transporting that malicious traffic. Maybe they exist and I just haven’t met them, or maybe network operators as a class recognize that malicious traffic, whether bound for them or not, is bad for business. If only because it attracts more bad actors.

No Tragedy Here Either
It was pointed out to me by Jan Žorž that many operators use their older, leftover, networking equipment in places where filtering is required. This older networking equipment may be limited in its filtering ability and not manage well when attempting to block large amounts of traffic. This is a valid point for operators concerned about their capital equipment expenditures, since buying new equipment is a very real cost. However, as this older equipment gradually dies and gets replaced this problem will become moot. This is a problem now, but will eventually phase out.

Another valid argument of anti-spoofing efforts as a tragedy of the commons is the cost associated with training personnel, and maintaining large lists of filters. This is a valid concern and a definite cost. It’s why we are launching an initiative to provide information on deploying anti-spoofing. We reduce these operational costs by educating operators and providing them with the information they need to implement BCP 38.

New technologies such as Source Address Validation Improvements(SAVI) are also taking the difficulty out of anti-spoofing implementations. For a high level overview of SAVI read this article by Andrei Robachevsky, or read the main SAVI specification, RFC 7039.

While it might be tempting to view the Internet as a commons and DDOS as its tragedy, the comparison doesn’t hold up once operator incentives are understood. If the cost of applying filters were increasing, bandwidth was free, and transiting malicious traffic was benign, we may well find that rational acting operators benefit from not addressing IP source address spoofing. Fortunately for the Internet, this is not the case. It is in everyone’s interest, even selfish operators, to implement anti-spoofing filters. If not for the Internet’s benefit, than for their own.

I am not the first person to make this argument, that honour perhaps going to Joao Luis Silva Damas in this RIPE-NCC document from 2008. Joao describes the business case for filtering quite clearly in self-interested terms similar to those I use in this post.

This post is not meant to trivialize the collective benefits of implementing BCP 38. There has recently been some great work on the Routing Resilience Manifesto for, “Collective Responsibility and Collaboration for Routing Resilience and Security”. The Routing Resilience Manifesto is an attempt to codify some of the shared values of network operators into a set of definitions and ideal behaviors. The Routing Resilience Manifesto is very much a work in progress and is always seeking comment. If you would like to contribute to it please visit them or mail them directly.

UPDATE: Since the time this article was written in 2014, the “Routing Resilience Manifesto” became theMutually Agreed Norms for Routing Security (MANRS)and has now been signed by over 45 ISPs from around the world. We ask anyone working for an ISP or enterprise to view the MANRS document and sign on!

If you’re interested in becoming more involved in the anti-spoofing or BCP 38 conversation , consider  getting involved with the Routing Resilience Manifesto, joining the IETF SAVI working group, or visit our recently launched Anti-Spoofing Start Page.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...