Best Common Practice - 38, Perhaps Wise Beyond Its Years
Perhaps a little known fact in the inner workings of what we know as the World Wide Web, is that ability to spoof Service Provider source IP addresses and send traffic into the Internet using a fake or pseudo IP address is quite a common practice. Most often used for malicious purposes and cyber security experts would agree that Source IP spoofing can be dangerous because it enables what is called Reflective or Amplified DDoS attacks.
This category of DDoS attack begins to question the long-term viability of the Internet. For example a recent Reflective/Amplified DDoS attack was recorded to have generated over 400 Gbps of attack traffic in Europe earlier this year. Some experts in the field estimate that we can expect attacks to double before year’s end, with Terabit DDoS attacks not too far off in the future - A serious threat to any nation’s national security and communications infrastructure.
Back in the year 2000, BCP-38 (Best Common Practice-38) was written. BCP-38 was a recommendation to the Internet Service Providers of the day requesting that they eliminate the ability for users (attackers in this case) to spoof their source IP addresses. If every service provider simply followed this recommendation, Reflective/Amplified DDoS attacks that involve source IP spoofing would be eliminated. Simply put, they no longer would work.
According to Ferguson (2000), (BCP-38) “Ingress traffic filtering at the periphery of Internet connected networks will reduce the effectiveness of source address spoofing denial of service (DDoS) attacks. (Some) Network service providers and administrators have already begun implementing this type of filtering on periphery routers, and it is recommended that all service providers do so as soon as possible” (p.7). This is a recommendation that is nearly 14 years old! So why haven’t all Internet Service Providers heeded this recommendation?
Today there is no incentive or mandate for service providers to eliminate the ability for users to perform source IP spoofing and I’m guessing that only a handful of service providers actually perform ingress traffic filtering to help prevent the IP spoofing at the source. No one knows for sure how many service providers follow BCP-38 and associated BCP-84 , but if the majority were adhering to the recommendation, these types of DDoS attacks most likely wouldn’t be making headlines on a daily basis.