[spoofing-tf] Draft Document - Network Hygiene Pays Off
To: RIPE IP Anti-Spoofing Task Force spoofing-tf@localhost
From: Daniel Karrenberg <daniel.karrenberg@localhost
Date: Tue, 26 Sep 2006 15:17:56 +0200
Joao had volnteered to draft the RIPE recommendation in anti-spoofing.
While working on this we realised that a simple and concise
recommendation would not be sufficient to gain momentum. We nlso eed to
make a good case for implementing it. We feel that adding this to the
recommendation itself would make it unwieldy and make it more difficult
to get consensus about a specific recommendation text. Therefore we
have made two drafts: a recommendation and a business case document.
Attached is a first draft of the business case document. The purpose is
to get the content right. The form can certainly be improved; we are
f.i. not sure if the "you" and "your" form is really effective and
appropriate. Please read and let us have your feedback. We will also
discuss this draft at the upcoming RIPE meeting.
The recommendation text and the agenda for the meeting will follow.
Network Hygiene Pays Off
The Business Case for IP Source Address Verification
Joao Luis Silva Damas
Mon Sep 26
IP source address verification prevents a class of prevalent
reflector-type DDoS attacks, helps to track down attacking hosts and
simplifies some network management tasks. Yet a significant number of
ISPs do not deploy it at the edge of their networks. Common wisdom
seems to be that doing so would be expensive and would only help the
"other guy" who is being attacked. This memo tries to contrast common
wisdom with some facts.
What is BCP38
[add short explanation and references]
No Confidence in IP Source Addresses is Bad
Suppose you need to investigate some unusual traffic flows in your
network or you just plain want to analyze current traffic load. If you
do not do BCP38 there is absolutely nothing you can get to know about
the source of a packet from the packet alone. You cannot trust the
source address at all. They packet could have entered your network
*anywhere*. Can that be good?
Suppose someone launches an attack on one of your customers with packets
that appear to come from another customer. The victim will likely tell
you that it originates from another of your customers and that you
should take action. If you do not do BCP38 you will have to tell the
victim that this traffic could come from anywhere and that you cannot
determine very quickly where the traffic is coming from.
Resolution speed can be make a significant difference to your businness as
it can affect your contracted service level agreements (SLAs).
Someone Can Pretend to be You
Even worse, if you do not do BCP38 an attacker can launch an attack with
packets that appear to be coming from yourself, the ISP. Imagine the
reaction of a customer that gets attacked by such packets. Are they
going to trust you when you explain it is not really you? What will they
think if stress that your network operating practices allow such masquerading?
Imagine the cost of that.
Good Practice is Not Hard
It is not hard to prevent such a scenario. You simply have to do BCP38
towards your customers and drop all packets with internal source
addresses coming in from external peerings. Once you have done that you
*know* exactly who has sent a packet with an internal source address
and you also know that any packet with an external source address must
have come in via one of the external peerings.
Some multi-homing customers or customers using certain types of mobile
IP may require special configuration efforts. However these are neither
impossible nor very costly if implemented well. Our how-to documents
explain the technical details.
Doing BCP38 Helps A Lot and Builds Confidence
Doing BCP38 helps a lot with analyzing anomalies and makes understanding
normal traffic load very much more reliable.
In case any attacks or anomalies do happen, you can determine quickly
and with confidence any source within your own network or from any
customer, simply by looking at the traffic itself! The decision about
any countermeasures can be made very quickly and without any involved
specialist traceback analysis.
In case the source of the attack traffic is external, you can also state
that with confidence to your customers. Additionally customers doing
their own investigation will not be pointing to you was the source of
the attack to begin with.
Reflector Attacks Cannot Happen Between Customers
If you do not do BCP38 one customer can attack another with a DoS
reflector attack. Consider your responsibility and possible liability
in this case. If you do BCP38 your customers cannot do this to each
other and any reflector attack traffic has to come from outside your
network, thus from outside your direct responsibility.
Doing BCP38 is Good Publicity
Showing that you operate your network responsibly and safely is good
publicity; stating that you do BCP38 helps with that.
Showing responsibility by operating safely discourages regulation and
legislation of operating practices. Consider the difficulty to convince
policy makers that enabling users to lie about their "caller-ID" is your
normal operating practice.
Consider All Costs
When considering the cost of implementing BCP38 in your network, you
should consider the costs of not doing so together with the costs for
implementation of BCP38 itself. The savings in the network management
area and in mitigation of DoS attacks may well outweigh the
implementation costs. The added good publicity and confidence in good
operating practices should not be neglected either.
Testimonials of ISPs Who Do BCP38
[Add ISP statements about experiences, illustrating both cost and benefits.]