Have you deployed BCP 38 in your network? For most networks, the answer is yes.
During last week’s FCC CSRIC III meeting, several people called on operators to deploy “BCP 38.” This IETF best common practice (BCP) is packet filter placed on the edge of networks to insure that the IP source cannot pretend to be some other network (i.e. spoofing some other network). The general assumption is that IP spoofing is use for bad activities on the Internet. It is common to have someone speak at a security meeting and state that the lack of BCP 38 deployment is a big problem. The common assertion is that most providers do not deploy BCP 38 in their network. That perception is not correct any more. It now appears that most providers do deploy some type of BCP 38 packet filtering.
The MIT ANA Spoofer Project has updated their stats (see figure). The updated data illustrates what some have suspected – over 80% of the Internet cannot be used to send spoofed IP packets. In other words, we have now reached the infamous 80/20 ratio!
What does this mean? First, the Spoofer Project’s data illustrates measurable results. 80% deployment is a tremendous success that cannot be over looked. Second, the 80% deployment eliminates the hope that there is an easy solution to spoofed DDOS attacks. The mantra that we hear at many security meetings which says “we would not have these security problems if people deploy BCP 38” cannot be used anymore. Finally, the last 20% of the Internet not doing BCP 38 will prove to be the most difficult. While the efforts to deploy BCP 38 will continue, no one can count on success. In fact, we’ll need new solutions to mitigate spoofed attached that use this last 20%.
Will the last 20% be used for Spoofed Attacks?
The last 20% of the spoofable Internet is used daily to attack networks. Most of these attacks are in the form of DNS Applications attacks. Malware writers can the same techniques seen in the MIT ANA Spoofer Project to have their BOTNETs test if a network is “spoofable.” The BOT Herder infecting the computers can use this “spoof check” to groom the BOTNET into one that is specialized for sending spoofed packets. While it is not know if this specific capabilities exist today, coding it in malware is a logical next step in malware evolution. Given this, we can conclude that spoofed IP attacks are going to be around for the foreseeable future.
How did the Internet reach the 80% BCP 38 deployment?
RFC 2827/ BCP 38 – “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing – has one core principle – people cannot pretend to be from someone else’s IP address. The industry enforces this packet filter policy four major approaches:
- Static Packet Filters. These are manually maintained and/or configured from the SP’s provisioning system. The packet filter insures the only source packets allowed are from those IP addresses allocated by the upstream network. The vast majority of network gear supports this capability.
- Dynamic Packet Filters. Technology from the Broadband Forum, Cable Labs, and plan old RADUS enables a large network to dynamically provision source address packet filters. Over time, the filters will change as the customer’s network allocation changes.
- Forwarding Based Validation. The router’s forwarding table can be used to validate the source of a packet and then filter if it does not match the forwarding information. Unicast Reverse Path Forwarding (uRPF) was the first of several technologies that provide BCP 38 capabilities.
- Network Address Translation (NAT). Many people don’t think of NAT as a tool for BCP 38 enforcement. In reality, residential broadband, enterprises, and other networks behind NAT benefit from the inherent “source validation side effect.”
It is easy to see how the industry reached a 80% BCP 38 deployment. The source validation side effect of NAT, the automated approaches with uRPF, and the dynamic provisioning capabilities are all examples of how network “just filters.”
Does your network prevent Spoof IP addresses?
If you have the time, go to the MIT ANA Spoofer Project page, download the software, and run the test. You can see for yourself if the network you reside allows for spoofed IP packets while providing the project with another data point.
If you find the network allows spoofed IP packets, ask them why.