I was recently talking with some colleagues about the increasing threat of DDoS attacks using spoofed IP addressing and we ended up deep in discussion concerning BCP 38 / RFC 2827. The Best Current Practice and Request For Comments document is an outline for Internet Service Providers to perform ingress filtering on the edge for their networks for valid source IP prefixes. While ISPs have a responsibility I would argue that large and small enterprises have an equal responsibility to filter their egress traffic to ensure that they don’t source any traffic onto the Internet that doesn’t have valid source IP information. I personally like to do this extra level of filtering on my Internet facing router, this also helps prevent any private IP address leakage due to a poor NAT configuration on the border firewall.
A few years ago I had to work with an ISP that couldn’t understand how my Internet link was being flooded by packets that were being sourced from 127.0.0.1 egressing their network. I had to send them multiple packet traces and tediously explain to them what IP spoofing was and how to block it on ingress into their network backbone.
On Cisco IOS routers we only need to create an extended access-list to identify those packets which don’t have valid source IP addresses. We want to permit any packet which has a valid source IP address from our public IANA IP address block but we want to deny/block any IP packet which has a spoofed source IP address from leaving our network. In the example below I’m using the three TEST networks that are designated by the IETF/IANA for use in documentation. You should substitute the three IP address blocks below with your own public ARIN/APNIC/RIPE IP address assignment.
ip access-list extended bcp38_out permit ip 203.0.113.0 0.0.0.255 any permit ip 198.51.100.0 0.0.0.255 any permit ip 192.0.2.0 0.0.0.255 any deny any any log
Now that we have our access-list we need to apply it to outbound traffic leaving our Internet facing interface.
interface fa0/1 ... ip access-group bcp38_out out ...
And that’s it, pretty easy and painless yet too many folks miss this simple step.