Internet Technologies > Anti-Spoofing

Anti-Spoofing

How do we help prevent the massive Distributed Denial-of-Service (DDoS) attacks we continue to see on the Internet? What can be done by network operators, enterprises, and others to help reduce DDoS attacks and other similar threats?

There are unfortunately no magic silver bullets, but one mechanism that can be implemented by network operators is the prevention of “spoofing” of IP addresses, what we call “anti-spoofing technologies.”

To execute a DDoS attack, what commonly happens is that attackers use malware and “bots” running on unsuspecting computers to send large quantities of requests at a target server. All of the requests typically have bogus, “spoofed” source IP addresses and so when the server attempts to answer these requests it gets stalled waiting to open connections to the non-existent requesting servers. The spoofed source IP addresses (either IPv4 or IPv6) also make it extremely hard to track down where the sources of the attacks are coming from.

What seems to be an easy solution is to simply not allow packets to leave your network to go to the rest of the Internet with a spoofed IP source address. Particularly at the very edge of the Internet, an enterprise or home network, for instance, can know precisely what range of IP addresses are on its network and only allow those addresses as source addresses for outgoing packets. It gets a bit more challenging and complicated in larger networks, but this approach in general is often called “BCP 38” after the IETF Best Current Practice (BCP) of that name. Some people also call this “network ingress filtering” or “source address validation“.

Why, then, have we as an Internet community not widely implemented BCP 38 and its companion BCP 84?

We cover here some of the technologies, the tools, and the reasons for implementing anti-spoofing. Our goal is to make the Internet safer, faster and more secure – and help do as much as possible to prevent DDoS attacks.

Basics

Andrei discusses a panel that took place at RIPE 66 in May 2013 where a number of routing security experts explored the questions around anti-spoofing. Andrei writes about the challenges that were identified and suggests a path forward for how we may collectively address the issues.

White Papers

Additional Information

We also encourage you to read about the Mutually Agreed Norms for Routing Security (MANRS) initiative where committing to deploy anti-spoofing technologies is one of the criteria for participating.

Please watch MANRS blog for more stories around anti-spoofing technologies. And please let us know:

  • Have you already implemented these type of anti-spoofing measures?
  • If so, would you be interested in providing a case study of what you had to do?
  • If not, what has prevented you from doing so? How can we help you overcome any issues?