Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
RFC 2827
Document | Type |
RFC - Best Current Practice
(May 2000; Errata)
Updated by RFC 3704
Obsoletes RFC 2267
Also known as BCP 38
Was draft-ferguson-ingress-filtering (individual)
|
|
---|---|---|---|
Authors | Daniel Senie , Paul Ferguson | ||
Last updated | 2013-03-02 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 2827 (Best Current Practice) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | (None) |
Network Working Group P. Ferguson Request for Comments: 2827 Cisco Systems, Inc. Obsoletes: 2267 D. Senie BCP: 38 Amaranth Networks Inc. Category: Best Current Practice May 2000 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Status of this Memo This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2000). All Rights Reserved. Abstract Recent occurrences of various Denial of Service (DoS) attacks which have employed forged source addresses have proven to be a troublesome issue for Internet Service Providers and the Internet community overall. This paper discusses a simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2 2. Background . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Restricting forged traffic . . . . . . . . . . . . . . . . 5 4. Further capabilities for networking equipment. . . . . . . 6 5. Liabilities. . . . . . . . . . . . . . . . . . . . . . . . 6 6. Summary. . . . . . . . . . . . . . . . . . . . . . . . . . 7 7. Security Considerations. . . . . . . . . . . . . . . . . . 8 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . 8 9. References . . . . . . . . . . . . . . . . . . . . . . . . 8 10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . 9 11. Full Copyright Statement . . . . . . . . . . . . . . . . . 10 Ferguson & Senie Best Current Practice [Page 1] RFC 2827 Network Ingress Filtering May 2000 1. Introduction A resurgence of Denial of Service Attacks [1] aimed at various targets in the Internet have produced new challenges within the Internet Service Provider (ISP) and network security communities to find new and innovative methods to mitigate these types of attacks. The difficulties in reaching this goal are numerous; some simple tools already exist to limit the effectiveness and scope of these attacks, but they have not been widely implemented. This method of attack has been known for some time. Defending against it, however, has been an ongoing concern. Bill Cheswick is quoted in [2] as saying that he pulled a chapter from his book, "Firewalls and Internet Security" [3], at the last minute because there was no way for an administrator of the system under attack to effectively defend the system. By mentioning the method, he was concerned about encouraging it's use. While the filtering method discussed in this document does absolutely nothing to protect against flooding attacks which originate from valid prefixes (IP addresses), it will prohibit an attacker within the originating network from launching an attack of this nature using forged source addresses that do not conform to ingress filtering rules. All providers of Internet connectivity are urged to implement filtering described in this document to prohibit attackers from using forged source addresses which do not reside within a range of legitimately advertised prefixes. In other words, if an ISP is aggregating routing announcements for multiple downstream networks, strict traffic filtering should be used to prohibit traffic which claims to have originated from outside of these aggregated announcements. An additional benefit of implementing this type of filtering is that it enables the originator to be easily traced to it's true source, since the attacker would have to use a valid, and legitimately reachable, source address. Ferguson & Senie Best Current Practice [Page 2] RFC 2827 Network Ingress Filtering May 2000 2. Background A simplified diagram of the TCP SYN flooding problem is depicted below: 204.69.207.0/24 host <----- router <--- Internet <----- router <-- attacker TCP/SYN <--------------------------------------------- Source: 192.168.0.4/32 SYN/ACK no route TCP/SYN <--------------------------------------------- Source: 10.0.0.13/32 SYN/ACK no route TCP/SYN <---------------------------------------------Show full document text