Browse Prior Art Database

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing (RFC2827)

IP.com Disclosure Number: IPCOM000003425D
Original Publication Date: 2000-May-01
Included in the Prior Art Database: 2000-Sep-13
Document File: 8 page(s) / 20K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

P. Ferguson: AUTHOR [+2]

Abstract

Recent occurrences of various Denial of Service (DoS) attacks which have employed forged source addresses have proven to be a troublesome issue for Internet Service Providers and the Internet community overall. This paper discusses a simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point.

This text was extracted from a ASCII document.
This is the abbreviated version, containing approximately 14% of the total text.

Network Working Group P. Ferguson

Request for Comments: 2827 Cisco Systems, Inc.

Obsoletes: 2267 D. Senie

BCP: 38 Amaranth Networks Inc.

Category: Best Current Practice May 2000

Network Ingress Filtering:

Defeating Denial of Service Attacks which employ

IP Source Address Spoofing

Status of this Memo

This document specifies an Internet Best Current Practices for the

Internet Community, and requests discussion and suggestions for

improvements. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2000). All Rights Reserved.

Abstract

Recent occurrences of various Denial of Service (DoS) attacks which

have employed forged source addresses have proven to be a troublesome

issue for Internet Service Providers and the Internet community

overall. This paper discusses a simple, effective, and

straightforward method for using ingress traffic filtering to

prohibit DoS attacks which use forged IP addresses to be propagated

from 'behind' an Internet Service Provider's (ISP) aggregation point.

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2

2. Background . . . . . . . . . . . . . . . . . . . . . . . . 3

3. Restricting forged traffic . . . . . . . . . . . . . . . . 5

4. Further capabilities for networking equipment. . . . . . . 6

5. Liabilities. . . . . . . . . . . . . . . . . . . . . . . . 6

6. Summary. . . . . . . . . . . . . . . . . . . . . . . . . . 7

7. Security Considerations. . . . . . . . . . . . . . . . . . 8

8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . 8

9. References . . . . . . . . . . . . . . . . . . . . . . . . 8

10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . 9

11. Full Copyright Statement . . . . . . . . . . . . . . . . . 10

1. Introduction

A resurgence of Denial of Service Attacks [1] aimed at various

targets in the Internet have produced new challenges within the

Internet Service Provider (ISP) and network security communities to

find new and innovative methods to mitigate these types of attacks.

The difficulties in reaching this goal are numerous; some simple

tools already exist to limit the effectiveness and scope of these

attacks, but they have not been widely implemented.

This method of attack has been known for some time. Defending against

it, however, has been an ongoing concern....