During RIPE 71 last week in Bucharest, Benno Overeinder from NLnetLabs and I organised a BoF to discuss the problem of source IP spoofing.
Some may ask with a certain level of frustration, “Anti-spoofing?!! Source address validation?! BCP 38?! Again?!” Indeed, visible progress in anti-spoofing has been quite disappointing. Despite existing technical solutions and more than a decade of consistent evangelizing, not much has changed by the look of the symptom – most notably reflection-amplification DDoS attacks. They have only gotten bigger!
Several aspects make this problem especially tough.
- Existing technical measures are only effective and applicable close to the edge – computers and other end-devices connected to the net. This requires deployment of anti-spoofing measures by a vast majority of networks on a global scale – something that is not easy to achieve.
- Accountability is a problem. Tracing spoofed traffic back to its real source is impossible in the majority of cases
- The business case is very weak. There are network types where confidence in the validity of the source IP address is important for their proper operation, but in general, and coupled with the lack of accountability, implementing source address validation has costs and does not bring real benefits for an individual network.
- We do not even know where we are. There is a challenge in detecting “spoofable” networks and therefore a lack of statistically representative data regarding the state of affairs. It is impossible to say how the situation has changed over last decade.
And so, we had to pose a question as to whether solving this problem is worth it at all. Should we, as a community and as individual operators, concentrate our efforts on reactive measures of mitigating the outcome of the spoofing – a volumetric DDoS attack? Should we make mitigation measures more accessible, less costly, more automated and more effective?
And, in general:
Are we solving the problem?
Are we solving the right problem?
Are we solving it in the right way?
There was an interesting discussion and people lined up at the microphone. It was hard to expect a breakthrough, but from my perspective three points were reinforced:
– Measurements. Being able to identify source address validation capabilities (or lack thereof) is an essential element of any solution in this space. Otherwise, it is like tilting at windmills.
Spoofer is a good start. But the number of measurements is too low and their location is somewhat biased. We need to expand these and find and correlate these data with other sources to produce a more statistically representative set.
– Incentives. Without a stronger business case we cannot expect a solution at scale. This is, unfortunately, not telling the BCP38 story better, this means creating better incentives. This might need both a carrot and a stick.
A carrot could be a self-enforcing reputation of a growing group of adopters of these measures that publicly declare their actions – this is what MANRS is doing. The more operators join, the more important anti-spoofing measures become, the stronger the cultural shift toward collaborative security will be.
A stick might be liability. As Paul Vixie wrote recently, “In the world of credit cards, ATM cards, and wire transfers, state and federal law explicitly point the finger of liability for fraudulent transactions toward specific actors. And in that world, those actors make whatever investments they have to make in order to protect themselves from that liability, even if they might feel that the real responsibility for preventing fraud ought to lay elsewhere. We have nothing like that for DDoS. The makers of devices that become part of botnets, the operators of open servers used to reflect and amplify DDoS attacks, and the owners and operators of networks who permit source address forgery, bear none of the costs of inevitable storms of DDoS traffic that result from their malfeasance.”
– People still consider this a problem worth solving. The general feeling is that abandoning it will just make the mitigation part harder and harder, not cheaper and simpler. At the same time anything that contributes to the effective mitigation of a DDoS attack should be taken as an integral element of the overall solution.
Please let us know if you have thoughts on anti-spoofing or ideas on how to address it – and whether or not you think it is a problem worth solving. We’ve created a mailing list to follow up the BoF discussions at RIPE, which you can join at https://elists.isoc.org/mailman/listinfo/anti-spoofing. Or, of course, you can always comment here on the blog or on Twitter, Facebook, or Google+.