Thumbnail: logo

IP spoofing and how ISPs can avoid it

by on


Ever single entity on the internet has been assigned its own public IPv4 (or IPv6) address by its ISP.
Right?… most of the times.
An ISP, normally, assign IPs to its customers in a dynamic fashion, via DHCPv4 or DHCPv6 Prefix Delegation.
However, nothing is preventing the end user to manually set a different address, outside the ISP address scope and, if there is no source-address check in place, the illegitimate traffic can pass unrestricted through the network.

Unless the ISP is illegally involved in this scenario, this customer behavior will not allow any two way communication, due to the lack of routing of the spoofed IP. So why should we care?

Because one way spoofing is the underlying ingredient of most common DDoS attacks nowdays: UDP based traffic does not need a connection to reply, hence a simple DNS amplification will just require a spoofed address of the victim to be effective.

ISP can prevent this behavior by enforcing some controls et the network edge, such:

  • Anti-spoofing ACL(blocking not routed source address space - but requires too micro-management)

  • uRPF
    (Unicast Reverse Path Forwarding - preferred solution): while inspecting each source address embedded in the packets, it denies the ones not coming from a routed network across the inbound interface.

    These and others preventive techniques are listed in the MANRS manifesto, along with the involved ISP participating in the campaign.

    While these policies could solve this global issue, any non right-behaving ISP could act as a catalyst for the spoofed traffic by generating many tunneled sessions (GRE, L2TP, ToR etc.) in near future scenario, where CPE and IoT devices could be more and more compromised, and thus bypassing ISP edge network control (see Mirai botnet)
spoofing, routing


© 2018 Matteo Malvica. Illustrations by Sergio Kalisiak.