The Role of ISPs in Cleaning Up the Internet. It’s Time!

By Dave Larson

IP address spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of hiding the identity of the sender or impersonating another computing system. Packets with spoofed IP addresses are easiest to detect and filter closest to their point of origin on the Internet, but the further they are propagated, the more difficult the problem becomes.

Historically, DNS amplification DDoS attacks have posed a significant problem to enterprises and Internet service providers alike. More recently, novel amplification attacks, like the recently discovered Connectionless LDAP reflection vector, have emerged because there are so many unnecessarily open services on the Internet that will unknowingly respond to spoofed record queries. Operators of any network should have their networks and services configured in such a way that they do not respond to spoofed IP requests. At the very least, operators of DNS open resolvers should configure their DNS servers not to respond to ‘ANY’ requests in order to squelch the opportunity for the server to be leveraged for malicious use.

Proper Hygiene

Many DDoS attacks could be alleviated by proper service provider hygiene, and by correctly identifying spoofed IP addresses before those requests are admitted to the network. There is a Best Common Practice – BCP38 – published in the Internet Engineering Task Force (IETF) that operators should take more seriously. The abstract section of BCP38 summarizes the approach:

"Recent occurrences of various Denial of Service (DoS) attacks which have employed forged source addresses have proven to be a troublesome issue for Internet Service Providers and the Internet community overall.  This paper discusses a simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point.”

If you are not following BCP38 in your environment, you should be. If all operators implemented this simple best practice, reflection and amplification DDoS attacks would be drastically reduced.

While eliminating or reducing IP address spoofing is mostly at the mercy of carriers implementing things like BCP38 to prevent packets from being spoofed in the first place, end users can certainly help. When they sign up with an ISP, end users could ask the ISP if they implement BCP38 to raise awareness and get more network providers to follow these best practices.

In the end, it will take a ‘community effort’, an effort comprised of Providers, Device Vendors, Standards Bodies (e.g. IETF – Internet Engineering Task Force) and independent test/validation organizations. Government may also have a role to play in the future – but we could avoid that issue if the community at large would take the problem seriously.

Beyond the Operators

Of course the security landscape is complicated and the tools to defeat these challenges vary widely. DDoS defense requires purpose-built technology that deals with the problem in a proactive and real-time manner. Legacy approaches to DDoS mitigation have relied on disparate detection and mitigation engines, scrubbing centers or manual intervention. As we’ve learned over the years, the time from detection to mitigation is crucial in reducing or eliminating the impact of a DDoS attack. Without the proper solution in place to mitigate DDoS, the result of a successful attack can be devastating to any business, and certainly those who rely on the Internet to operate.

The only solution that can respond to the size, sophistication and frequency of emerging DDoS threats is a real-time automatic mitigation solution. Providers can now deploy their DDoS mitigation operations at peering or transit points, using technology that is scalable and responsive. These systems are automated, always on and capable of responding to attacks as they happen – thus reducing headaches for providers everywhere, regardless of the DDoS attack vector used in the attack.


About Dave Larson

Dave Larson, Chief Operating Officer and Chief Technology officer is responsible for directing the Corero technology strategy as the company continues to invest in its next phase of growth; providing next generation DDoS attack and cyber threat defense solutions for the Service Provider and Hosting Provider segments.

More About Dave