Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
RFC 2267

Document Type RFC - Informational (January 1998; No errata)
Obsoleted by RFC 2827
Last updated 2013-03-02
Stream Legacy
Formats plain text pdf html bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 2267 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                        P. Ferguson
Request for Comments: 2267                           Cisco Systems, Inc.
Category: Informational                                         D. Senie
                                                          BlazeNet, Inc.
                                                            January 1998

                       Network Ingress Filtering:
            Defeating Denial of Service Attacks which employ
                       IP Source Address Spoofing

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

Abstract

   Recent occurrences of various Denial of Service (DoS) attacks which
   have employed forged source addresses have proven to be a troublesome
   issue for Internet Service Providers and the Internet community
   overall.  This paper discusses a simple, effective, and
   straightforward method for using ingress traffic filtering to
   prohibit DoS attacks which use forged IP addresses to be propagated
   from 'behind' an Internet Service Provider's (ISP) aggregation point.

Table of Contents

    1.  Introduction . . . . . . . . . . . . . . . . . . . . . . .  2
    2.  Background . . . . . . . . . . . . . . . . . . . . . . . .  2
    3.  Restricting forged traffic . . . . . . . . . . . . . . . .  5
    4.  Further capabilities for networking equipment. . . . . . .  6
    5.  Liabilities. . . . . . . . . . . . . . . . . . . . . . . .  6
    6.  Summary. . . . . . . . . . . . . . . . . . . . . . . . . .  7
    7.  Security Considerations. . . . . . . . . . . . . . . . . .  7
    8.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . .  8
    9.  References . . . . . . . . . . . . . . . . . . . . . . . .  8
   10.  Authors' Addresses . . . . . . . . . . . . . . . . . . . .  9
   11.  Full Copyright Statement . . . . . . . . . . . . . . . . . 10

Ferguson & Senie             Informational                      [Page 1]
RFC 2267               Network Ingress Filtering            January 1998

1. Introduction

   A resurgence of Denial of Service Attacks [1] aimed at various
   targets in the Internet have produced new challenges within the
   Internet Service Provider (ISP) and network security communities to
   find new and innovative methods to mitigate these types of attacks.
   The difficulties in reaching this goal are numerous; some simple
   tools already exist to limit the effectiveness and scope of these
   attacks, but they have not been widely implemented.

   This method of attack has been known for some time. Defending against
   it, however, has been an ongoing concern. Bill Cheswick is quoted in
   [2] as saying that he pulled a chapter from his book, "Firewalls and
   Internet Security" [3], at the last minute because there was no way
   for an administrator of the system under attack to effectively defend
   the system. By mentioning the method, he was concerned about
   encouraging it's use.

   While the filtering method discussed in this document does
   absolutely nothing to protect against flooding attacks which
   originate from valid prefixes (IP addresses), it will prohibit an
   attacker within the originating network from launching an attack of
   this nature using forged source addresses that do not conform to
   ingress filtering rules. All providers of Internet connectivity are
   urged to implement filtering described in this document to prohibit
   attackers from  using forged source addresses which do not reside
   within a range of legitimately advertised prefixes.  In other words,
   if an ISP is aggregating routing announcements for multiple
   downstream networks, strict traffic filtering should be used to
   prohibit traffic which claims to have originated from outside of
   these aggregated announcements.

   An additional benefit of implementing this type of filtering is that
   it enables the originator to be easily traced to it's true source,
   since the attacker would have to use a valid, and legitimately
   reachable, source address.

2. Background

   A simplified diagram of the TCP SYN flooding problem is depicted
   below:

                                                       9.0.0.0/8
    host <----- router <--- Internet <----- router <-- attacker

             TCP/SYN
         <---------------------------------------------
               Source: 192.168.0.4/32

Ferguson & Senie             Informational                      [Page 2]
RFC 2267               Network Ingress Filtering            January 1998

    SYN/ACK
    no route
             TCP/SYN
         <---------------------------------------------
               Source: 10.0.0.13/32
    SYN/ACK
    no route
             TCP/SYN
         <---------------------------------------------
Show full document text