Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
RFC 2827

Document Type RFC - Best Current Practice (May 2000; Errata)
Updated by RFC 3704
Obsoletes RFC 2267
Also known as BCP 38
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2827 (Best Current Practice)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                        P. Ferguson
Request for Comments: 2827                           Cisco Systems, Inc.
Obsoletes: 2267                                                 D. Senie
BCP: 38                                           Amaranth Networks Inc.
Category: Best Current Practice                                 May 2000

                       Network Ingress Filtering:
            Defeating Denial of Service Attacks which employ
                       IP Source Address Spoofing

Status of this Memo

   This document specifies an Internet Best Current Practices for the
   Internet Community, and requests discussion and suggestions for
   improvements.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

Abstract

   Recent occurrences of various Denial of Service (DoS) attacks which
   have employed forged source addresses have proven to be a troublesome
   issue for Internet Service Providers and the Internet community
   overall.  This paper discusses a simple, effective, and
   straightforward method for using ingress traffic filtering to
   prohibit DoS attacks which use forged IP addresses to be propagated
   from 'behind' an Internet Service Provider's (ISP) aggregation point.

Table of Contents

    1.  Introduction . . . . . . . . . . . . . . . . . . . . . . .  2
    2.  Background . . . . . . . . . . . . . . . . . . . . . . . .  3
    3.  Restricting forged traffic . . . . . . . . . . . . . . . .  5
    4.  Further capabilities for networking equipment. . . . . . .  6
    5.  Liabilities. . . . . . . . . . . . . . . . . . . . . . . .  6
    6.  Summary. . . . . . . . . . . . . . . . . . . . . . . . . .  7
    7.  Security Considerations. . . . . . . . . . . . . . . . . .  8
    8.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . .  8
    9.  References . . . . . . . . . . . . . . . . . . . . . . . .  8
   10.  Authors' Addresses . . . . . . . . . . . . . . . . . . . .  9
   11.  Full Copyright Statement . . . . . . . . . . . . . . . . . 10

Ferguson & Senie         Best Current Practice                  [Page 1]
RFC 2827               Network Ingress Filtering                May 2000

1. Introduction

   A resurgence of Denial of Service Attacks [1] aimed at various
   targets in the Internet have produced new challenges within the
   Internet Service Provider (ISP) and network security communities to
   find new and innovative methods to mitigate these types of attacks.
   The difficulties in reaching this goal are numerous; some simple
   tools already exist to limit the effectiveness and scope of these
   attacks, but they have not been widely implemented.

   This method of attack has been known for some time. Defending against
   it, however, has been an ongoing concern. Bill Cheswick is quoted in
   [2] as saying that he pulled a chapter from his book, "Firewalls and
   Internet Security" [3], at the last minute because there was no way
   for an administrator of the system under attack to effectively defend
   the system. By mentioning the method, he was concerned about
   encouraging it's use.

   While the filtering method discussed in this document does
   absolutely nothing to protect against flooding attacks which
   originate from valid prefixes (IP addresses), it will prohibit an
   attacker within the originating network from launching an attack of
   this nature using forged source addresses that do not conform to
   ingress filtering rules. All providers of Internet connectivity are
   urged to implement filtering described in this document to prohibit
   attackers from  using forged source addresses which do not reside
   within a range of legitimately advertised prefixes.  In other words,
   if an ISP is aggregating routing announcements for multiple
   downstream networks, strict traffic filtering should be used to
   prohibit traffic which claims to have originated from outside of
   these aggregated announcements.

   An additional benefit of implementing this type of filtering is that
   it enables the originator to be easily traced to it's true source,
   since the attacker would have to use a valid, and legitimately
   reachable, source address.

Ferguson & Senie         Best Current Practice                  [Page 2]
RFC 2827               Network Ingress Filtering                May 2000

2. Background

   A simplified diagram of the TCP SYN flooding problem is depicted
   below:

                                                    204.69.207.0/24
    host <----- router <--- Internet <----- router <-- attacker

             TCP/SYN
         <---------------------------------------------
Show full document text