n the world of DDOS attacks, “IP Spoofing” or just “Spoofing” for short Is a technique used to hide the actual IP Address of an attacking computer, as well as overload session tables. Attackers can choose an alternate IP address, or generate random IP addresses which can change very rapidly allowing one attacker to simulate vast numbers of simultaneous attackers all having different IP addresses. This makes tracking the source of the infected botnet computers more difficult, as the source IP address of the attacker has been falsified. Session tables of a server or load balancer
will keep a pre-determined number of open sessions for each IP address for a specified length of time in seconds. The amount of available sessions is determined by the amount of memory dedicated to this task. The spoofing of IP addresses allows a single attacking computer to create more open sessions then normally permitted. In a DDOS attack, a very large number of spoofed addresses can be generated, overloading the session table and dropping all packets, or causes the server or load balancer to crash. IPv6 (IP Version 6) has been designed to provide more security and will bring an end to spoofing, however in the mean time the “Chicken or the egg” wait for the masses to adopt IPv6. means we need to address spoofing in the best way possible to deal with this problem.
The problem of IP spoofing using IPv4 is best solved at the Internet Service Provider / Bandwidth provider level. In May 2000, RFC 2827 “Network Ingress Filtering: Defeating Denial of Service” was proposed as a solution to this problem. This lays the ground-work for an international effort to implement simple network changes that will substantially reduce the threat from spoofed IP addresses. An Internet Service Provider could filter traffic originating from their network and ensure that only packets with source IP ranges within their network are permitted to the Internet.
For example, ISP A has ranges 18.104.22.168/16, 22.214.171.124/24. Ingress filtering is setup to ensure only traffic with these source IP Ranges is allowed.
On a Cisco device, this portion of the ingress ACL might look as follows (Cisco Extended ACL Format):
100 permit ip 126.96.36.199 0.0.255.255 any
110 permit ip 188.8.131.52 0.0.0.255 any
500 deny ip any any
Keep in mind that this example only includes the lines necessary to allow certain ranges and block every other IP.
If every ISP implemented these steps for their network’s, botnets would be forced to reveal their true addresses. The benefit of which may even allow for reporting of these addresses accurately to internet service providers and thus to the end user computers most likely infected with a botnet trojan. In Australia, measures have been taken to disconnect service of virus infected computers once identified, this sort of initiative could be a very strong defensive technique to win the war against DDOS. Network engineers and webmasters…. Please introduce such steps within your organization and recommend this approach to your ISP or Bandwidth providers for your residential and business internet connectivity. Together we can stop spoofed IP addresses and minimize impact from DDOS attacks.
Network Security Engineer, Dosarrest