How do we help prevent the massive Distributed Denial-of-Service (DDoS) attacks we continue to see on the Internet? What can be done by network operators, enterprises, and others to help reduce DDoS attacks and other similar threats?
There are unfortunately no magic silver bullets, but one mechanism that can be implemented by network operators is the prevention of “spoofing” of IP addresses, what we call “anti-spoofing technologies.”
To execute a DDoS attack, what commonly happens is that attackers use malware and “bots” running on unsuspecting computers to send large quantities of requests at a target server. All of the requests typically have bogus, “spoofed” source IP addresses and so when the server attempts to answer these requests it gets stalled waiting to open connections to the non-existent requesting servers. The spoofed source IP addresses (either IPv4 or IPv6) also make it extremely hard to track down where the sources of the attacks are coming from.
What seems to be an easy solution is to simply not allow packets to leave your network to go to the rest of the Internet with a spoofed IP source address. Particularly at the very edge of the Internet, an enterprise or home network, for instance, can know precisely what range of IP addresses are on its network and only allow those addresses as source addresses for outgoing packets. It gets a bit more challenging and complicated in larger networks, but this approach in general is often called “BCP 38” after the IETF Best Current Practice (BCP) of that name. Some people also call this “network ingress filtering” or “source address validation“.
Why, then, have we as an Internet community not widely implemented BCP 38 and its companion BCP 84?
We cover here some of the technologies, the tools, and the reasons for implementing anti-spoofing. Our goal is to make the Internet safer, faster and more secure – and help do as much as possible to prevent DDoS attacks.
To get started, we encourage you to visit these resources below on our site:
- Blog posts and news items related to anti-spoofing – Read the latest resources, opinions and other news we have about anti-spoofing technologies and also the DDoS threats they are designed to prevent.
- Our Anti-Spoofing Basics page where we provide pointers to several introductory articles.
- Read our Anti-Spoofing Whitepaper: Addressing the challenge of IP spoofing that dives deeper into the topic.
- Andrei Robachevsky: Can we stop IP-spoofing in the Internet?
Andrei discusses a panel that took place at RIPE 66 in May 2013 where a number of routing security experts explored the questions around anti-spoofing. Andrei writes about the challenges that were identified and suggests a path forward for how we may collectively address the issues.
We also encourage you to read about the Mutually Agreed Norms for Routing Security (MANRS) initiative where committing to deploy anti-spoofing technologies is one of the criteria for participating.
Please watch MANRS blog for more stories around anti-spoofing technologies. And please let us know:
- Have you already implemented these type of anti-spoofing measures?
- If so, would you be interested in providing a case study of what you had to do?
- If not, what has prevented you from doing so? How can we help you overcome any issues?