AnsweredAssumed Answered

Shaw Internet And BCP38 (Spoofed IP)

Question asked by djcanadianjeff on May 5, 2014
Latest reply on May 30, 2015 by kevinds

I have always wondered how shaw internet handles such a thing?


BCP38 is RFC2827: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing.


DoS attacks, and their even nastier cousins Distributed Denial Of Service Attacks, are hard enough to deal with, but if the packets which comprise the attack have forged source IP Addresses, it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from.


The solution to this problem, described in RFC2827, which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets entering the internet which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them.

There are a small number of situations in which such packets are not fraudulent, but that percentage is small enough to be handled with manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC.


Isn't that complicated?

In general: BCP38 filtering to block these packets is most easily handled right at the very edge of the Internet: where customer links terminate in the first piece of provider 'aggregation' gear, like a router, DSLAM, or CMTS. Much to most of this gear already has a 'knob' which can be turned on, which simply drops these packets on the floor as they come in from the customer's PC.

So why don't people do it?

Many different reasons. Some people don't know they can; some don't know they should; some purposefully think they shouldn't.

In almost all cases, for almost all networks, the answer is actually "yes, you should, and no, it's not really hard."