BCP 38 - Final call for ISP's

It was one month back several of internet Root DNS servers suffered a DDOS attack. As per the notification, DNS root name servers began receiving a high rate of queries.  The queries were well-formed, valid DNS messages for a single domain name.  The source addresses of these particular queries appear to be randomized and distributed throughout the IPv4 address space.  The observed traffic volume due to this event was up to approximately 5 million queries per second, per DNS root name server receiving the traffic.

This clearly indicates a DDOS attack and the significance of how ISPs should plan their security strategies to avoid similar attacks to root DNS servers. One important mitigation tactic to be used here is BCP38. It was 14 years ago, BCP38 was written by Paul Ferguson and Daniel Senie.

I still doubt whether majority of the ISPs are taking it seriously to implement BCP38 or are they still stating the old story of performance issues, costs or complexity in configuration. Come on..!! This has to be a final wake up call for ISPs who still “thinks” whether to implement it or not.

Before going into the details of BCP38, we will check the relation of IP spoofing in DDOS attacks.

No attackers would like to reveal their identity when they go for DDOS attacks. With IP spoofing they would be able to hide their real IP addresses, thereby identity also. The host receiving the spoofed packet responds to the spoofed address, hence the attacker receives no reply back from the victim host. By sending many malformed packets, an attacker can successfully launch DDOS without the fear of being caught.

What is BCP38?

Best Current Practice 38 aka RFC 2267 is a best practice methodology around ingress traffic filtering. The specific purpose as stated in the RFC abstract “to prohibit DoS attacks which use forged IP addresses to be propagated    from 'behind' an Internet Service Provider's (ISP) aggregation point.”

Keeping it simple, BCP38 is a set of recommendations collected by IETF which describes a set of measures that an Internet service provider could implement to keep people from sending network packets with a forged sender address.

The problem here is if packets which comprise the attack have forged source IP Addresses, it would not only becomes harder to stop the attack but also becomes impossible to determine where it is actually coming from.

With BCP38 configured, routers would be able to check the validity of an IP address. A customer will be assigned the IP address/subnet by the Internet Service Provider (ISP). So they will be able to check the validity of the incoming packets from that particular customer, by checking whether this has been originated from the IP address/subnet they have provided. If it doesn’t match the provided IP address/subnet, then traffic should be dropped. This will help to avoid spoofing IP address from an outside subnet range of the customer or ISP.

For example, if an ISP has 3 customers, one in 11.1.x.x, another in 11.2.x.x, and in 11.3.x.x. If the ISP has BCP38 implemented on their customer routers, only packets originating from the customer provided subnet would be allowed to go through.  If the incoming packets are not coming from their designated subnets, then the traffic needs to be dropped. The customers who might be part of a botnet without their knowledge can be saved using this as the attackers were not able to spoof the IP address outside the provided range.

Here ISPs have to step up and configure it, so that similar DDOS attacks using IP spoofing can be mitigated. If the attackers have not spoofed the IP, then it would be much easy to detect those IP’s and we can block those at firewall level. The way of implementing BCP38 varies from vendor to vendor where they call it as Unicast Reverse Path Forwarding (uRPF).

I have a feeling that in 2016, we are going to witness a spike in DDOS and APT attacks regardless of the number of counter measures/tools we are placing. To stop or to reduce those, it all depends on how the whole internet community works together. From ISPs to the network administrator, we should implement defence in depth principles and give good user awareness. More than user awareness, I emphasize on giving awareness to senior management so that they can drive Information security from top to down.

Authored by Aju Nair

Rate this article: 
Average: 1 (1 vote)
Article category: