Get started Bring yourself up to speed with our introductory content.

Don't get spoofed by distributed denial-of-service attacks

Distributed denial-of-service attacks continue to use spoofing. But there are means to stop the practice.

Distributed denial of service (DDoS) attacks involving IP source address spoofing have been around for many years, and they're still happening today. In these attacks, which most often involve User Datagram Protocol (UDP) packets, the attacker generates massive amounts of requests using packets with many different false source addresses and sends them to a targeted system. The target, in turn, tries to process and respond to this huge volume of requests, which overwhelms it and causes legitimate requests to be ignored. The packets use such a wide variety of source addresses that it is generally impossible to block just the malicious traffic, which is indistinguishable from the benign traffic.

How to stop the spoofing

So how can we stop spoofing-based DDoS attacks? Nearly 15 years ago, the Internet Engineering Task Force (IETF) issued a set of recommendations for implementing network ingress filtering that would block any traffic from an unexpected source address (i.e., an address not located on the source network) that attempts to enter a router. By having each individual organization and its Internet service provider implement these simple techniques for UDP, TCP, ICMP and other network protocols, spoofing-based DDoS attacks would largely be eliminated. Unfortunately, many organizations have not chosen to use these techniques, so successful DDoS attacks still occur today; the infamous 2013 Spamhaus DDoS attack is one such example.

More on DDoS prevention

Read SearchSecurity's handbook on how to respond to the latest DDoS attacks

Best Current Practice (BCP) 38, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing," is the IETF set of recommendations and is freely available. The techniques described in it are simple, but they are only effective if all networks on the Internet implement them (which is why so many organizations choose not to bother). Otherwise, attackers can leverage unsecured networks to transmit their malicious traffic.

At its most basic, implementing ingress filtering involves establishing a rule set (i.e., an access control list) that either contains the addresses of either permitted source addresses and blocks all others or contains prohibited source addresses and permits all others. This is a simple and effective technique, but maintenance can be a problem because the addresses need to be updated to reflect network changes. If this maintenance does not happen promptly and correctly, benign traffic may be denied and/or malicious traffic permitted.

Organizations can use several other ways to implement network ingress filtering. They are described in IETF's Request for Comments (RFC) 3704, "Ingress Filtering for Multihomed Networks." Most of these methods involve unicast reverse path forwarding (uRPF), which is a dynamic form of ingress filtering that uses a router's information base as the reference for automatically configuring the router's ingress filters and, thus, automates the maintenance.

The downside of uRPF is that it relies on the details of the routing configuration. RFC 3704 describes four forms of uRPF: Strict RPF, Feasible RPF, Loose RPF and Loose RPF that ignores default routes. Each form differs in terms of how it handles asymmetric routing, its degree of analysis of routes and other aspects of routing configuration that are explained in RFC 3704.

About the author: 
Karen Scarfone has 20 years of professional experience in information technology, with over 10 dedicated to information security. As  principal consultant at Scarfone Cybersecurity, she specializes in security automation standards, and network and system security guidelines. A former senior computer scientist for the National Institute of Standards and Technology (NIST), she oversaw the development of system and network security publications for federal civilian agencies and the public.

This was last published in May 2014

Dig Deeper on DDoS attack detection and prevention