address
Click on the red underlined text to get to the source
... denial of service attacks, by denying traffic with spoofed addresses
access to the network, and to help ensure that traffic ...
... dropping traffic entering their networks that is coming from a source
address not legitimately in use by the customer network. The
filtering ...
... filtering includes but is in no way limited to the traffic whose
source address is a so-called "Martian Address" - an address ...
... source address is a so-called "Martian Address" - an address that is
reserved [3], including any address ...
... address that is
reserved [3], including any address within 0.0.0.0/8, 10.0.0.0/8,
127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, or
240.0.0.0/4.
...
... Distributed Denial of Service Attacks frequently spoof other systems'
source addresses, placing a random number in the field. In some
attacks ...
... filtering, by verifying that their prefixes are not used in the
source addresses in packets received from the Internet. In other
attacks ...
... Internet. In other
attacks, the source address is literally a random 32 bit number,
resulting in the source of the attack ...
... attacks can be
somewhat mitigated: traffic with random or improper source addresses
can be suppressed before it does significant damage, and attacks can
...
...
An Ingress Access List is a filter that checks the source address of
every message received on a network interface against a list of
...
... filters and interface access-lists). The procedure is that the
source address is looked up in the Forwarding Information Base (FIB)
...
... RPF) is an extension
of Strict RPF. The source address is still looked up in the FIB (or
an equivalent, RPF ...
... the network, this approach provides a way to relatively easily
address the biggest problems of Strict RPF.
...
... route at all, such as
to "Martian addresses" or addresses that are not currently routed,
but is not dropped if a route ...
... to "Martian addresses" or addresses that are not currently routed,
but is not dropped if a route exists.
...
... interface; if it points nowhere or to some other interface, the
packets with bogus source addresses will be discarded at the Loose
RPF interface ...
... upstream providers, to get rid of packets with
"Martian" or other non-routed addresses.
If other approaches are unsuitable, loose RPF ...
... filtering need only verify the fact and react if
any packets which would show a breach in the contract are detected.
Of course, this mechanism would only show if the source addresses
used are "martian" or other unrouted addresses ...
... source addresses
used are "martian" or other unrouted addresses -- not if they are
from someone else's address space.
...
... explicit route presence check".
In this approach, the router looks up the source address in the route
table, and preserves the packet if a route is found. However, in the
...
... default routes are used only to
catch traffic with bogus source addresses, with an extensive (or even
full) list of explicit routes to cover legitimate traffic.
...
... it) has been deployed at every border (towards the customers, peers
and upstreams) -- blocking the use of your own addresses as source
addresses -- the attackers may be able to circumvent the protections
...
... customers, peers
and upstreams) -- blocking the use of your own addresses as source
addresses -- the attackers may be able to circumvent the protections
of the infrastructure gear.
...
... symmetric. It might even be considered useful to be able to filter
out source addresses coming from an upstream link which should have
...
... RPF cannot be recommended, except as a
way to measure whether "martian" or other unrouted addresses are
being used.
...
... behavior, the simplest approach will be to ensure that its ISPs in
fact carry its addresses in routing. This will often require the
edge ...
... network will be of a size and technical competence to qualify for a
separate address assignment and an autonomous system number from its
RIR ...
... 5]. This way the edge routers are configured to first
inspect the source address of a packet destined to an ISP and shunt
it into the appropriate tunnel ...
... attacker "somewhere in the Internet" is being ingress
filtered or not. Therefore, one can only guess whether the source
addresses have been spoofed or not: in any case, getting a possible
lead -- e.g., to contact a potential source to ask whether they're
observing an attack ...
... interfaces to reduce
the size of DoS attacks with unrouted source addresses. In the
downstream interfaces ...
... ISPs to implement ingress filtering to prevent
spoofed addresses being used, both to curtail DoS attacks and to make
them more traceable, and to protect their own infrastructure. This
...
... edge networks should verify that their own
addresses are not being used in source addresses in the packets
coming from outside their network ...
... networks should verify that their own
addresses are not being used in source addresses in the packets
coming from outside their network.
...
... with different properties (e.g., peers and upstreams), and wants
to ensure that traffic sourced with a peer's address should not be
accepted from the upstream.
...
... Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827 ...
... Authors' Addresses ...
... copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
...