BCP38 – RFC2827 Network Ingress Filtering: Defeat DoS with Forged Source Addresses


This Best Current Practice document outlines a common sense approach to preventing Denial of Service (DoS) attacks that are from forged (spoofed) source IP addresses. You should note that this document does not provide advise for preventing DoS attacks from valid sourced traffic. The techniques in this document are also valuable since it ensures you can track ingress traffic back to a legitimate and unique source address.

Of particular concern is when the attacker spoofs the address of another legitimate organization. This might result in the filtering of that legitimate traffic, or worse, the false accusation of wrongdoing against that organization. These legitimate systems of the other organization might also be subject to the SYN ACK traffic from the attacked organization.

Remember, flood type attacks sourced from unreachable addresses are also dangerous. This is because resources on the attacked device can become depleted as the device reserves resources in an attempt to respond to the incoming traffic.

The Best Current Practice recommends an ingress filter which restricts the traffic accepted to only that sourced from the legitimate network or networks that exist behind the filtering device.

The document also makes it clear that certain forms of special services might be impacted with such filters. For example, Mobile IP could be problematic in such an environment.

Should you be interested in reading the full document as you prepare for your written exam – it is located here.

Leave a Reply

Your email address will not be published. Required fields are marked *