Enforcing Source Integrity: BCP38 and Open Resolver Problems

• Previous message (by thread): Cloudflare, and the 120Gbps DDOS "that almost broke the Internet"
• Next message (by thread): Verizon Wireless security contact needed
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The root cause of high scale directed amplification attacks is the failure
to assure the integrity of the source IP address. This failure leads to a
large set of directed amplification attack vectors.

BCP38 was written in 2000, coming up on its 13th anniversary. This root
cause, and various methodologies & technologies to resolve it, have been an
ongoing discussion since back to the 90s.

The failure to enforce this BCP or the related technological mechanisms to
force implementation is the root cause of why the Internet cannot always
trust source addresses and why these attack vectors persist. Until the ISP
community gets serious about forcing the integrity of source addresses
throughout its topology, various flavours of attack whose root cause is the
spoofed source addresses will continue.

Yes, it is not easy to do because it is a transitive trust issue, linked to
topology and address management policy. Yes it would be easier if there was
a magic bullet to validate source addresses built into the architecture.
But there is not, the architecture is what it is. If every step of the
chain enforced the integrity of source addresses, this risk would be
resolved. There are multiple different steps that could be taken, including
law enforcement, statute, contractual, policy, process and technological
mechanisms.

Every ISP and content providers' business model is threatened by this
vulnerability. Every attack drives up operational expenses for everyone.
Opportunity costs of missed sales and impacted business are everywhere. It
is a pure tragedy of the commons - for lack of enforcement, the whole
system is threatened in scale.

This problem cannot be allowed to rest at the edges simply by pointing at
the current amplification vector. Yesterday it was something different.
Tomorrow it will different again. The constant is the rising scale of the
Internet and resulting increase in scale of the attack and its
corresponding economic impact. The root cause is not today's Google issue.

The ISP community has the power to enforce this through policy and
technological means. Whether it has the will and ability to self-organize
and enforce is a different issue (and also, a long standing one).

The discussion needs to be not just about the edge issue of the day. It
needs to be about what forum, and what means can be used to enforce this
integrity. Post-9/11 the ISP community has significantly more hammers in
its arsenal now that it did in May 2000. Perhaps NANOG is not the right
forum to discuss, but if not, what is? This is truly an operational threat
to the whole community. Leadership needs to come from the largest
providers, not just from the smallest.

Today the threat is rogue data centres hosting spammers trying to game the
system, tolerated by their up stream providers. Does this really need to be
a hostile state or quasi-state actor deliberately threatening the
infrastructure before serious coordinated action is taken?

We really do know better.

Eric Carroll

• Previous message (by thread): Cloudflare, and the 120Gbps DDOS "that almost broke the Internet"
• Next message (by thread): Verizon Wireless security contact needed
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]