< draft-ferguson-ingress-filtering-01.txt   draft-ferguson-ingress-filtering-02.txt >
Internet Draft Paul Ferguson Internet Draft Paul Ferguson
November 1996 cisco Systems, Inc. July 1997 cisco Systems, Inc.
Expires in six months Daniel Senie Expires in six months Daniel Senie
Proteon, Inc. OpenROUTE Networks, Inc.
Network Ingress Filtering Network Ingress Filtering:
Defending Against IP Source Address Spoofing Defeating IP Source Address Spoofing Denial of Service Attacks
draft-ferguson-ingress-filtering-01.txt draft-ferguson-ingress-filtering-02.txt
Status of this Memo Status of this Memo
This document is an Internet Draft. Internet Drafts are working This document is an Internet Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its Areas, documents of the Internet Engineering Task Force (IETF), its Areas,
and its Working Groups. Note that other groups may also distribute and its Working Groups. Note that other groups may also distribute
working documents as Internet Drafts. working documents as Internet Drafts.
Internet Drafts are draft documents valid for a maximum of six Internet Drafts are draft documents valid for a maximum of six
months. Internet Drafts may be updated, replaced, or obsoleted by months. Internet Drafts may be updated, replaced, or obsoleted by
skipping to change at page 1, line 32 skipping to change at page 1, line 32
"working draft" or "work in progress." "working draft" or "work in progress."
To learn the current status of any Internet-Draft, please check the To learn the current status of any Internet-Draft, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts "1id-abstracts.txt" listing contained in the Internet-Drafts
Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
ftp.isi.edu (US West Coast). ftp.isi.edu (US West Coast).
Abstract Abstract
Recent occurrences of various Denial of Service attacks which Recent occurrences of various Denial of Service (DoS) attacks
have employed forged source addresses have proven to be a which have employed forged source addresses have proven to be a
troublesome issue for Internet Service Providers and the Internet troublesome issue for Internet Service Providers and the Internet
community overall. This paper discusses a simple, effective community overall. This paper discusses a simple, effective,
and straightforward methods for using ingress traffic filtering and straightforward method for using ingress traffic filtering
to deny attacks which use forged IP addresses. to deny DoS attacks which use forged IP addresses to be
propagated from "behind" an Internet Service Provider's (ISP)
aggregation point.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2
2. Background . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Background . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Restricting forged traffic . . . . . . . . . . . . . . . . 4 3. Restricting forged traffic . . . . . . . . . . . . . . . . 4
4. Further capabilities for networking equipment. . . . . . . 5 4. Further capabilities for networking equipment. . . . . . . 5
5. Liabilities. . . . . . . . . . . . . . . . . . . . . . . . 5 5. Liabilities. . . . . . . . . . . . . . . . . . . . . . . . 5
6. Summary. . . . . . . . . . . . . . . . . . . . . . . . . . 6 6. Summary. . . . . . . . . . . . . . . . . . . . . . . . . . 6
7. Security Considerations. . . . . . . . . . . . . . . . . . 6 7. Security Considerations. . . . . . . . . . . . . . . . . . 7
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . 7 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . 7
9. References . . . . . . . . . . . . . . . . . . . . . . . . 7 9. References . . . . . . . . . . . . . . . . . . . . . . . . 7
10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . 7 10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . 7
1. Introduction 1. Introduction
A resurgence of Denial of Service Attacks [1] aimed at various A resurgence of Denial of Service Attacks [1] aimed at various
targets in the Internet have produced new challenges within the targets in the Internet have produced new challenges within the
Internet Service Provider (ISP) and network security communities to Internet Service Provider (ISP) and network security communities to
find methods to mitigate these types of attacks. The difficulties new and innovative methods to mitigate these types of attacks.
in reaching this goal are numerous; simple tools already exist to The difficulties in reaching this goal are numerous; simple
limit the effectiveness and scope of these attacks, but they have tools already exist to limit the effectiveness and scope of
not been widely implemented. these attacks, but they have not been widely implemented.
This method of attack has been known for some time. Defending This method of attack has been known for some time. Defending
against it has been a concern. Bill Cheswick is quoted in [2] against it has been a concern. Bill Cheswick is quoted in [2]
as saying that he pulled a chapter from his book, "Firewalls and as saying that he pulled a chapter from his book, "Firewalls and
Internet Security" [3], at the last minute because there was no way Internet Security" [3], at the last minute because there was no way
for an administrator of the system under attack to effectively defend for an administrator of the system under attack to effectively defend
that system. By mentioning the method, he was concerned about that system. By mentioning the method, he was concerned about
encouraging its use. encouraging its use.
While the filtering method discussed in this document does While the filtering method discussed in this document does
absolutely nothing to protect against flooding attacks which absolutely nothing to protect against flooding attacks which
originate from valid prefixes, it will prohibit an attacker within originate from valid prefixes, it will prohibit an attacker within
the originating network from launching an attack of this nature using the originating network from launching an attack of this nature using
forged source addresses that do not conform to ingress filtering forged source addresses that do not conform to ingress filtering
rules. All providers of Internet connectivity are urged to rules. All providers of Internet connectivity are urged to
implement filtering described in this document to disallow attackers implement filtering described in this document to prohibit
from using forged source addresses which do not reside within attackers from using forged source addresses which do not
legitimately advertised prefixes. reside within legitimately advertised prefixes. In other words,
if an ISP is aggregating routing announcements for multiple
downstream networks, strict traffic filtering should be used
to prohibit traffic which claims to have originated from outside
of these announcements.
An additional benefit of implementing this type of filtering is that An additional benefit of implementing this type of filtering is that
it enables the originator to be easily traced, since the attacker it enables the originator to be easily traced, since the attacker
would have to use a valid, and reachable, source address. would have to use a valid, and reachable, source address.
2. Background 2. Background
A simplified diagram of the problem is depicted below: A simplified diagram of the problem is depicted below:
9.0.0.0/8 9.0.0.0/8
skipping to change at page 3, line 44 skipping to change at page 3, line 44
o The attacker resides within the "valid" prefix 9.0.0.0/8 o The attacker resides within the "valid" prefix 9.0.0.0/8
o The attacker launches the attack using randomly changing source o The attacker launches the attack using randomly changing source
addresses; in this example, the source addresses are depicted addresses; in this example, the source addresses are depicted
as from within [4], which are not present in the global Internet as from within [4], which are not present in the global Internet
routing tables, and therefore, unreachable. Any unreachable prefix routing tables, and therefore, unreachable. Any unreachable prefix
could be used to perpetrate this attack method. could be used to perpetrate this attack method.
Also worthy of mention is a case wherein the source address is Also worthy of mention is a case wherein the source address is
forged to appear to have originated from within another legitimate forged to appear to have originated from within another legitimate
network. For example, an attacker using a valid network address network, ie. one which does not appear in the global routing
system. For example, an attacker using a valid network address
could wreak havoc by making the attack appear to come from an could wreak havoc by making the attack appear to come from an
organization which did not, in fact, originate the attack and organization which did not, in fact, originate the attack and
was completely innocent. In such cases, the administrator of a was completely innocent. In such cases, the administrator of a
system under attack may be inclined to filter all traffic coming system under attack may be inclined to filter all traffic coming
from the apparent attack source. Adding such a filter would then from the apparent attack source. Adding such a filter would then
result in a denial of service to legitimate, non-hostile end-systems. result in a denial of service to legitimate, non-hostile end-systems.
In this case, the administrator of the system under attack In this case, the administrator of the system under attack
unwittingly becomes an accomplice of the attacker. unwittingly becomes an accomplice of the attacker.
When an attack is launched using unreachable source address, the When an attack is launched using unreachable source address, the
skipping to change at page 4, line 21 skipping to change at page 4, line 21
as the source address, the system under attack will send a large as the source address, the system under attack will send a large
number of SYN/ACK packets to what it believes is the originator of number of SYN/ACK packets to what it believes is the originator of
the connection establishment sequence. In this fashion, the attacker the connection establishment sequence. In this fashion, the attacker
does damage to two systems: the destination target system, as well as does damage to two systems: the destination target system, as well as
the system which is actually using the spoofed address in the global the system which is actually using the spoofed address in the global
routing system. routing system.
The result of both attack methods is extremely degraded performance, The result of both attack methods is extremely degraded performance,
or worse, a system crash. or worse, a system crash.
Responding to this threat, the operating system vendors have Responding to this threat, most operating system vendors have
modified their software to allow the targeted servers to sustain modified their software to allow the targeted servers to sustain
attacks with very high connection attempt rates. This is a welcome attacks with very high connection attempt rates. This is a welcome
and necessary part of the solution to the problem. Ingress filtering and necessary part of the solution to the problem. Ingress filtering
will take time to be implemented everywhere and be fully effective, will take time to be implemented pervasively and be fully effective,
but the extensions to the operating systems can be implemented but the extensions to the operating systems can be implemented
quickly. This combination should prove effective against source quickly. This combination should prove effective against source
address spoofing. See [1] for vendor and platform software upgrade address spoofing. See [1] for vendor and platform software upgrade
information. information.
3. Restricting forged traffic 3. Restricting forged traffic
The problems encountered with this type of attack are numerous, The problems encountered with this type of attack are numerous,
and involve shortcomings in host software implementations, routing and involve shortcomings in host software implementations, routing
methodologies, and the TCP/IP protocols themselves. However, by methodologies, and the TCP/IP protocols themselves. However, by
restricting transit traffic which originates from a downstream restricting transit traffic which originates from a downstream
network to known prefix(es), the problem of source address network to known, and intentionally advertised, prefix(es), the
spoofing can be virtually eliminated in the attack scenario. problem of source address spoofing can be virtually eliminated
in this attack scenario.
11.0.0.0/8 11.0.0.0/8
/ /
router 1 router 1
/ /
/ /
/ 9.0.0.0/8 / 9.0.0.0/8
ISP <----- ISP <---- ISP <--- ISP <-- router <-- attacker ISP <----- ISP <---- ISP <--- ISP <-- router <-- attacker
A B C D 2 A B C D 2
/ /
skipping to change at page 5, line 27 skipping to change at page 5, line 27
IF packet's source address is anything else IF packet's source address is anything else
THEN deny packet THEN deny packet
Network administrators should log information on packets which are Network administrators should log information on packets which are
dropped. This then provides a basis for monitoring any suspicious dropped. This then provides a basis for monitoring any suspicious
activity. activity.
4. Further capabilities for networking equipment 4. Further capabilities for networking equipment
Several additional functions could be considered for future Additional functions could be considered for future
platform implementations. These include: platform implementations. The following one is worth noting:
o Implementation of automatic filtering on remote access servers. o Implementation of automatic filtering on remote access servers.
In most cases, a user dialing into an access server is an In most cases, a user dialing into an access server is an
individual user on a single PC. The ONLY valid source IP individual user on a single PC. The ONLY valid source IP
address for packets originating from that PC is the one address for packets originating from that PC is the one
assigned by the ISP (whether statically or dynamically assigned by the ISP (whether statically or dynamically
assigned). The remote access server could check every packet assigned). The remote access server could check every packet
on ingress to ensure the user is not spoofing addresses. on ingress to ensure the user is not spoofing addresses.
Obviously, provisions also need to be made for cases where the Obviously, provisions also need to be made for cases where the
customer legitimately is attaching a net or subnet via a remote customer legitimately is attaching a net or subnet via a remote
router, but this could certainly be implemented as an optional router, but this could certainly be implemented as an optional
parameter. parameter.
o Examination of forwarded packets for valid return path. Routers
could perform a look up on the source address of packets being
forwarded in their routing tables. If the routing table indicates
a different interface as the next hop than the interface on which
the packet arrived, then the packet would be discarded. This
could lead to problems when network administrators set up
multiple paths in such a way that traffic doesn't always flow
on the same path in both directions (asymmetric routing). Note
that this check may degrade router performance.
5. Liabilities 5. Liabilities
Filtering of this nature has the potential to break some types of Filtering of this nature has the potential to break some types of
special services, such as some IP Mobility implementations. It is special services. It is in the best interest of the ISP offering
in the best interest of the ISP offering these types of special these types of special services, however, to consider alternate
services, however, to consider alternate methods of implementation, methods of implementing these services to avoid being affected
such as point-to-point tunneling, or any other method which is not by ingress traffic filtering.
affected by ingress traffic filtering.
Mobile IP as defined in [6] is affected by ingress filtering. As
specified, traffic to the mobile node is tunneled, but traffic from
the mobile node are not tunneled. This results in packets from the
mobile node(s) which have source addresses that do not match with
the network where the station is attached. The Mobile IP Working
Group is addressing this problem by specifying "reverse tunnels"
in [7]. This draft provides a method for the data transmitted from
the mobile node to be tunneled to the home agent before transmission
to the Internet. There are additional benefits to the reverse
tunneling scheme, including better handling of multicast traffic.
Those implementing mobile IP systems are encouraged to implement
this tunneling.
While ingress filtering drastically reduces the success of source While ingress filtering drastically reduces the success of source
address spoofing, it does not preclude an attacker using a forged address spoofing, it does not preclude an attacker using a forged
source address of another host within the permitted prefix filter source address of another host within the permitted prefix filter
range. It does, however, ensure that when an attack of this nature range. It does, however, ensure that when an attack of this nature
does indeed occur, a network administrator can be sure that the does indeed occur, a network administrator can be sure that the
attack is actually originating from where it advertises. This attack is actually originating from within the known prefixes that
simplifies tracking down of the culprit, and at worst, the are being advertised. This simplifies tracking down of the culprit,
administrator can block a range of source addresses until the and at worst, the administrator can block a range of source
problem is resolved. addresses until the problem is resolved.
If ingress filtering used in an environment where DHCP or BOOTP If ingress filtering is used in an environment where DHCP or BOOTP
is used, the network administrator would be well advised to ensure is used, the network administrator would be well advised to ensure
that packets with a source address of 0.0.0.0 and a destination that packets with a source address of 0.0.0.0 and a destination
of 255.255.255.255 are allowed to be forwarded to the appropriate of 255.255.255.255 are allowed to reach the relay agent in routers
destination. Since the router is most likely performing as the BOOTP when appropriate.
or DHCP relay agent, the router will then be able to forward the
requests.
6. Summary 6. Summary
Ingress traffic filtering at the periphery of Internet connected Ingress traffic filtering at the periphery of Internet connected
networks will reduce the effectiveness of source address spoofing networks will reduce the effectiveness of source address spoofing
denial of service attacks. Network service providers and denial of service attacks. Network service providers and
administrators have already begun implementing this type of administrators have already begun implementing this type of
filtering on periphery routers, and it is recommended that all filtering on periphery routers, and it is recommended that all
service providers do so as soon as possible. In addition to aiding service providers do so as soon as possible. In addition to aiding
the Internet community as a whole to defeat this attack method, it the Internet community as a whole to defeat this attack method, it
skipping to change at page 7, line 16 skipping to change at page 7, line 22
simplified when the source is more likely to be "valid." By reducing simplified when the source is more likely to be "valid." By reducing
the number and frequency of attacks in the Internet as a whole, the number and frequency of attacks in the Internet as a whole,
there will be more resources for tracking the attacks which there will be more resources for tracking the attacks which
ultimately do occur. ultimately do occur.
8. Acknowledgments 8. Acknowledgments
The North American Network Operators Group (NANOG) [5] group as a The North American Network Operators Group (NANOG) [5] group as a
whole deserves special credit for openly discussing these issues and whole deserves special credit for openly discussing these issues and
actively seeking possible solutions. Also, thanks to Justin Newton actively seeking possible solutions. Also, thanks to Justin Newton
[Erol's Internet, Inc.] and Steve Bielagus [Proteon, Inc.] for their [Priori Networks] and Steve Bielagus [OpenROUTE Networks, Inc.]
comments and contributions. for their comments and contributions.
9. References 9. References
[1] CERT Advisory CA.96-12; TCP SYN Flooding and IP Spoofing [1] CERT Advisory CA.96-12; TCP SYN Flooding and IP Spoofing
Attacks; September 24, 1996 Attacks; September 24, 1996
[2] B. Ziegler, "Hacker Tangles Panix Web Site", Wall Street Journal, [2] B. Ziegler, "Hacker Tangles Panix Web Site", Wall Street Journal,
12 September 1996 12 September 1996
[3] "Firewalls and Internet Security: Repelling the Wily Hacker"; [3] "Firewalls and Internet Security: Repelling the Wily Hacker";
William R. Cheswick and Steven M. Bellovin, Addison-Wesley William R. Cheswick and Steven M. Bellovin, Addison-Wesley
Publishing Company, 1994; ISBN 0-201-63357-4 Publishing Company, 1994; ISBN 0-201-63357-4
[4] RFC-1918, "Address Allocation for Private Internets"; Y. Rekhter, [4] RFC-1918, "Address Allocation for Private Internets"; Y. Rekhter,
R. Moskowitz, D. Karrenberg, G. de Groot, E. Lear; February 1996 R. Moskowitz, D. Karrenberg, G. de Groot, E. Lear; February 1996
[5] The North American Network Operators Group; [5] The North American Network Operators Group;
http://www.nanog.org http://www.nanog.org
[6] RFC-2002, "IP Mobility Support"; C. Perkins; October 1996
[7] draft-ietf-mobileip-tunnel-reverse-02.txt, "Reverse Tunneling for
Mobile IP"; G. Montenegro; March 1997
10. Authors' addresses 10. Authors' addresses
Paul Ferguson Daniel Senie Paul Ferguson Daniel Senie
cisco Systems, Inc. Proteon, Inc. cisco Systems, Inc. OpenROUTE Networks, Inc.
400 Herndon Parkway 9 Technology Drive 400 Herndon Parkway 9 Technology Drive
Herndon, VA USA 20170 Westboro, MA USA 01581 Herndon, VA USA 20170 Westboro, MA USA 01581
Email: pferguso@cisco.com Email: dts@proteon.com Email: pferguso@cisco.com Email: dts@openroute.com
 End of changes. 21 change blocks. 
54 lines changed or deleted 67 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/