Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
RFC 2827
| Document | Type |
RFC - Best Current Practice
(May 2000; Errata)
Updated by RFC 3704
Obsoletes RFC 2267
Also known as BCP 38
Was draft-ferguson-ingress-filtering (individual)
|
|
|---|---|---|---|
| Last updated | 2013-03-02 | ||
| Stream | IETF | ||
| Formats | plain text pdf html bibtex | ||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 2827 (Best Current Practice) | |
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | (None) | ||
| Send notices to | (None) | ||
Network Working Group P. Ferguson
Request for Comments: 2827 Cisco Systems, Inc.
Obsoletes: 2267 D. Senie
BCP: 38 Amaranth Networks Inc.
Category: Best Current Practice May 2000
Network Ingress Filtering:
Defeating Denial of Service Attacks which employ
IP Source Address Spoofing
Status of this Memo
This document specifies an Internet Best Current Practices for the
Internet Community, and requests discussion and suggestions for
improvements. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
Recent occurrences of various Denial of Service (DoS) attacks which
have employed forged source addresses have proven to be a troublesome
issue for Internet Service Providers and the Internet community
overall. This paper discusses a simple, effective, and
straightforward method for using ingress traffic filtering to
prohibit DoS attacks which use forged IP addresses to be propagated
from 'behind' an Internet Service Provider's (ISP) aggregation point.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2
2. Background . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Restricting forged traffic . . . . . . . . . . . . . . . . 5
4. Further capabilities for networking equipment. . . . . . . 6
5. Liabilities. . . . . . . . . . . . . . . . . . . . . . . . 6
6. Summary. . . . . . . . . . . . . . . . . . . . . . . . . . 7
7. Security Considerations. . . . . . . . . . . . . . . . . . 8
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . 8
9. References . . . . . . . . . . . . . . . . . . . . . . . . 8
10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . 9
11. Full Copyright Statement . . . . . . . . . . . . . . . . . 10
Ferguson & Senie Best Current Practice [Page 1]
RFC 2827 Network Ingress Filtering May 2000
1. Introduction
A resurgence of Denial of Service Attacks [1] aimed at various
targets in the Internet have produced new challenges within the
Internet Service Provider (ISP) and network security communities to
find new and innovative methods to mitigate these types of attacks.
The difficulties in reaching this goal are numerous; some simple
tools already exist to limit the effectiveness and scope of these
attacks, but they have not been widely implemented.
This method of attack has been known for some time. Defending against
it, however, has been an ongoing concern. Bill Cheswick is quoted in
[2] as saying that he pulled a chapter from his book, "Firewalls and
Internet Security" [3], at the last minute because there was no way
for an administrator of the system under attack to effectively defend
the system. By mentioning the method, he was concerned about
encouraging it's use.
While the filtering method discussed in this document does
absolutely nothing to protect against flooding attacks which
originate from valid prefixes (IP addresses), it will prohibit an
attacker within the originating network from launching an attack of
this nature using forged source addresses that do not conform to
ingress filtering rules. All providers of Internet connectivity are
urged to implement filtering described in this document to prohibit
attackers from using forged source addresses which do not reside
within a range of legitimately advertised prefixes. In other words,
if an ISP is aggregating routing announcements for multiple
downstream networks, strict traffic filtering should be used to
prohibit traffic which claims to have originated from outside of
these aggregated announcements.
An additional benefit of implementing this type of filtering is that
it enables the originator to be easily traced to it's true source,
since the attacker would have to use a valid, and legitimately
reachable, source address.
Ferguson & Senie Best Current Practice [Page 2]
RFC 2827 Network Ingress Filtering May 2000
2. Background
A simplified diagram of the TCP SYN flooding problem is depicted
below:
204.69.207.0/24
host <----- router <--- Internet <----- router <-- attacker
TCP/SYN
<---------------------------------------------
Source: 192.168.0.4/32
SYN/ACK
no route
TCP/SYN
<---------------------------------------------
Source: 10.0.0.13/32
SYN/ACK
no route
TCP/SYN
<---------------------------------------------
Show full document text