Ask a Broadband Expert - DDoS Attacks

YOU ARE HERE:: Home / The Business of Broadband / Ask a Broadband Expert - DDoS Attacks

Ask a Broadband Expert - DDoS Attacks

Paul Ferguson DDoS Attacks

Help I’m Under Attack! Unfortunately that plea is becoming more and more common these days. Here’s why, and some ways that the ISP community can help. All networks receive packets from other networks. Normally a packet will contain the IP address of the computer that originally sent it. This allows devices in the receiver’s network to know where it came from, allowing a reply to be routed back. However, a sender IP address can be faked ('spoofed'), which is in essence, a spoofing attack. This disguises the true origin and sender of the packets sent, and in the case of a denial-of-service attack, the sending IP address that is used is one that’s on the network being targeted. By the time the receiver realizes what’s happening, it’s too late.

To help combat these spoofed packets from getting through, a technique called ingress filtering can be used to make sure that incoming packets are actually from the networks that they claim to be from. BCP38 is the Best Current Practices policy that advocates network ingress filtering to help combat DDoS attacks. BCP38 is documented by the Internet Engineering Task Force (IETF) and recommends that upstream providers of IP connectivity filter packets entering their networks from downstream customers, and discard any packets which have a source address which is not allocated to that customer.
Paul Ferguson, the co-author of BCP38, constantly collaborates with public and private enterprise to identify the latest malicious threats on the Internet.

Ferguson2Paul is currently Vice President of Threat Intelligence at Internet Identity. In the past Paul has been the Senior Threat Researcher at Trend Micro and has provided key evidence to the FBI that helped them arrest the originators of the DNSChanger malware in Operation Ghost Click. Ferguson also previously held positions at Northrop Grumman Corporation, Cisco Systems, Inc., Sprint, Computer Sciences Corp. (CSC) and AT&T. He served in the U.S. Army during the cold war as a Communications Security (COMSEC) specialist. We talked to Paul Ferguson to get a better understanding of BCP38 and how it relates to Denial of Service Attacks.

ZCorum - Paul, let’s start with some basic questions, these hacker groups, do they just find someone out there that they don’t like and target them? Well it is a multifold problem. They’re finding open NTP servers and open DNS recursive resolvers where they can send a spoofed packet of the target they want to attack. For example, on a DNS open recursive reflective amplification attack they can send a very small DNS query, and it sends back a very large response. So, you’d only need a couple of hundred attackers.  If was the target, they send packets with a IP source address and the DNS recursive resolvers send back these very large responses to as an reflective distributed denial of service amplification attack. There are about 10 to 20 million open recursive DNS resolvers on the internet, which is a whole other problem unto itself. There was just one guy operating alone in the Netherlands that generated over 200 Gig of traffic when he was attacking SpamHaus when they were on CloudFlare last year.  So it doesn’t take a lot to generate a huge attack.

ZCorum - So are they going after people who make their life harder as a spammer or hacker? Yeah, they do. There are several reasons for the attacks, though. There are extortion attacks such as on online casinos. “Pay us $500 and we will stop denial of service attacks to your site.” There are also sleight of hand distractions where they launch a denial of service attack on a bank at the same time a bunch of bank account hijacks and ACH wires transferring money out of accounts. And yes, they most certainly attack companies who are making their life hard like SpamHaus or network security companies.

ZCorum –Are ISPs generally familiar with BCP38? Actually BCP 38 is a term that has become somewhat cryptic and hard to understand and most people can’t remember it or know what it is when it’s mentioned. I’ve changed the way I talk about this over the years. Now when I’m talking about this to decision makers, I don’t talk about BCP38 as much as I talk about anti-spoofing.  I have changed my language a little bit because anti-spoofing is terminology that people can wrap their head around. They understand it; and they understand why it is bad. ISPs shouldn’t be fooled into complacency though; there is no legitimate reason to spoof traffic on the internet. Spoofing an IP address or a source address is only done for one reason, to hide the originating source. And ISPs should be educated and on the ball enough to prohibit any user or downstream customer of theirs from sending packets that have a source address which is not allocated to that customer. That is pretty much the long and short of the whole thing. But this is where the universal resistance to implementing BCP38 and anti-spoofing comes up. Comments pop up complaining that ingress filtering is controlling, that it can’t be legal, what about privacy, etc.  And there are people who are going to use those excuses and others, real or imagined, to justify not implementing filtering. The truth is there are a lot of people filtering and there are no issues with it. You wouldn’t do it on a high end router with a high end link because chances are it will knock you out of the fast path of switching.  So it was originally designed to be deployed at the edge of the network, at a custom aggregation point, so it will have less of an impact.

ZCorum - On what equipment should BCP38 be implemented? Wherever the ISP figures it will have the least impact is where they should implement it.  My recommendation is as close to the customer as possible. Look at the hierarchical model of bandwidth in connection to the default free zone in the internet, the closest out to the edge is the best place to implement it. However for reasons of convenience you might want to do it on an aggregate point. So instead of implementing it on every customer interface, you do it on a customer interface that touches 10-100 customers for convenience purposes and more bang for the buck. I mean the fewer things you have to touch the better, but that may not hold true for performance.

ZCorum – Is there any benefit for the ISP in implementing BCP38? Well, the thing about BCP38 is that it is an altruistic measure. You get no protection from doing it other than saying that none of my customers are guilty of source spoofing traffic. It doesn’t protect you from anything and it doesn’t stop you from being the victim of a DDoS attack, but if everybody on the planet implemented ingress filtering and anti-source spoofing filters then the majority of these massive reflection DDoS attacks would go away tomorrow.

ZCorum - So sort of the golden rule- do unto others as you would have them do unto you? Absolutely, and I used the word altruistic, but I mean it is simply the right thing to do. The last time I checked we were all advocates of doing the right thing. Why would you NOT want to apply BCP38?

ZCorum – You were involved in creating BCP38. Give us a little history on how that got started. BCP38 started with Dan Senie and I writing the beginnings of it as an internet draft in 1997 and then guiding it through the whole evolution of IETF procedures to eventually become a BCP. You start with the submission of an internet draft and a particular working group of the IETF decides whether or not to post it as an informational RFC (Request for Comments). There are different types of RFCs; post standards, informational, and others.  If an internet draft receives the go ahead from the IETF then it’s published as an informational RFC, and in this case, RFC 2827. Then in 2000, it was published as BCP38, Best Current Practice 38. A best current practice is a practice that the IETF determines that everyone should be adopting. And that was in 2000, almost 15 years ago.

ZCorum -Has BCP38 made an impact for some of the larger networks that have adopted the practice? Well it has, but it is almost impossible to measure remotely. There is a thing called a spoofer project. It was started by a guy from MIT, Rob Beverly. He wrote a program that you can download that runs on Windows, Linux, Mac OSx, or what have you. You can measure whether your ISP is blocking spoof packets or whether you are sitting behind a Network Address Translation (NAT) that might block you. The project died for a little while when Rob left MIT, now he is at the naval post graduate school and the spoofer project has been picked up by other people and is being fixed and maintained a little bit. There is an estimate that there is probably somewhere between 20% and 30% of the Internet is not filtering spoofed IP packets. And that’s pretty good if we have 70%, 80% coverage. The only way to really measure whether someone is BCP38 compliant is to measure from within their network.

ZCorum - Is there any way to convince the non-adopting? There are some discussions happening at the government and policy levels around the world of mandating it from a regulatory regime. We have been saying for 20 years, if ISP’s are not policing themselves and doing the right thing, then someone (the government), is going to try and force you to do it, or do it for you and you are not going to like the result.  We would much rather everyone police themselves than have a government regulation, which usually does more harm than good. But I know that there has been talk in the EU, and in various EU member countries’ governments and parliaments of doing that. There’s also been talk in the FCC. The problem is that these DDoS attacks are getting to be over 400gb per second attacks and it’s going to get to the point where there is no way to fight them off anymore.  Pre-emptive filtering to disallow the ability of people to generate IP source-spoofed packets may be the only way to stop or at least slow them down. It’s not always the case that people are just resisting it. There are a lot of emerging countries who are probably just completely in the dark on how to combat these attacks. It’s just an education issue. Some people say that it is a vendor implementation issue.  And certainly there are those people who will find some reason not to do it, regardless of the issue, whether it is real or imagined.

ZCorum - At this point, it sounds like it is an educational kind of thing, unless it becomes mandated, to get ISP’s to understand that this is something that they need to be doing? Yes. I would consider this to be security 101, a security fundamental. A lot of people have what I call the dog sees squirrel syndrome- they get so distracted by the vulnerability of the day, whether it’s the Heartbleed security bug or the defacement of some website, or what have you. The threat landscape changes every day and people get distracted by those things. If people cannot do the basic fundamentals of security then they are going to learn some very hard lessons. Doing IP source spoofing filtering is a fundamental. Also, don’t have open DNS recursive resolvers. Don’t have NTP ports open to the internet all the time. Some of these things are security fundamentals, and as a community we are failing at educating people on the fundamentals.

Want to learn more about BCP38?  You can also view the FREE webinar below on Strategies for Fighting DDoS Attacks.


About the Author: Marsha Hemmerich

Marsha brings thirteen years of experience in the broadband industry as a Marketing Specialist and Technical Writer.

Leave a comment:

Never miss a post.
Enter your email to subscribe: