Anti-Spoofing

How do we help prevent the massive Distributed Denial-of-Service (DDoS) attacks we continue to see on the Internet? What can be done by network operators, enterprises, and others to help reduce DDoS attacks and other similar threats?

There are unfortunately no magic silver bullets, but one mechanism that can be implemented by network operators is the prevention of “spoofing” of IP addresses, what we call “anti-spoofing technologies.”

To execute a DDoS attack, what commonly happens is that attackers use malware and “bots” running on unsuspecting computers to send large quantities of requests at a target server. All of the requests typically have bogus, “spoofed” source IP addresses and so when the server attempts to answer these requests it gets stalled waiting to open connections to the non-existent requesting servers. The spoofed source IP addresses (either IPv4 or IPv6) also make it extremely hard to track down where the sources of the attacks are coming from.

What seems to be an easy solution is to simply not allow packets to leave your network to go to the rest of the Internet with a spoofed IP source address. Particularly at the very edge of the Internet, an enterprise or home network, for instance, can know precisely what range of IP addresses are on its network and only allow those addresses as source addresses for outgoing packets. It gets a bit more challenging and complicated in larger networks, but this approach in general is often called “BCP 38” after the IETF Best Current Practice (BCP) of that name. Some people also call this “network ingress filtering” or “source address validation“.

Why, then, have we as an Internet community not widely implemented BCP 38 and its companion BCP 84?

We cover here some of the technologies, the tools, and the reasons for implementing anti-spoofing. Our goal is to make the Internet safer, faster and more secure – and help do as much as possible to prevent DDoS attacks.

Basics

Andrei discusses a panel that took place at RIPE 66 in May 2013 where a number of routing security experts explored the questions around anti-spoofing. Andrei writes about the challenges that were identified and suggests a path forward for how we may collectively address the issues.

White Papers

Anti-Spoofing Whitepaper: Addressing the challenge of IP spoofing

Additional Information

We also encourage you to read about the Mutually Agreed Norms for Routing Security (MANRS) initiative where committing to deploy anti-spoofing technologies is one of the criteria for participating.

Please watch MANRS blog for more stories around anti-spoofing technologies. And please let us know:

Have you already implemented these type of anti-spoofing measures?
If so, would you be interested in providing a case study of what you had to do?
If not, what has prevented you from doing so? How can we help you overcome any issues?

Anti-Spoofing

How do we help prevent the massive Distributed Denial-of-Service (DDoS) attacks we continue to see on the Internet? What can be done by network operators, enterprises, and others to help reduce DDoS attacks and other similar threats?

Basics

White Papers

Additional Information

News

NDSS 2020: The Best in Security Research – For the Good of the Internet

Securing the Internet: Introducing Oracle Internet Intelligence IXP Filter Check

Network Operators in Latin America and the Caribbean Take Steps to Strengthen Routing Security

Celebrating National Cybersecurity Awareness Month

The Role of South Asia’s NOGs in Community Building

Network Operators in Mexico Strengthen Their Collaboration

Resources

How to Talk to Your Manager About Memory Safety

Info Guide: 6 Ways “Lawful Access” Puts Everyone’s Security At Risk

Best Practices: Infrastructure Security

IPv6 Security for IPv4 Engineers

Introduction to DNS Privacy

IPv6 Security Frequently Asked Questions (FAQ)