Source Filtering at the Edge

Source Filtering at the Edge NetworkWorld.com Community
In the previous post I discussed some of the basic principles of edge filtering both to protect your network (incoming filtering) and your neighbor’s network (outgoing filtering). One of the key elements of an incoming filter is admission of packets only from expected sources and blocking of packets from all other sources.
The objective of this filtering element is to guard against attacks in which the attacker claims to be someone he is not by falsifying the source address of the packets he sends. Source address spoofing is used in a wide variety of attacks, primarily Denial of Service attacks: The attacker is not interested in getting responses to the packets he sends, only in disrupting the target server or network. Spoofing also helps the attacker hide the true source (or multiple sources) of the attack, permitting a more sustained attack and perhaps protecting himself from identification (although no Bad Guy with any intelligence will launch an attack from his own network).
For a stub (non-transit) network, filtering spoofed packets is straightforward: You block any incoming packets that have a source address belonging to a prefix behind the entry point. Any packet entering your network, that claims to have been sourced from within your network, is illegitimate and probably malicious.
For transit providers, source filtering at the customer edges is essential. As I said, no intelligent Bad Guy launches an attack from his own network; he hijacks someone else’s network directly or (more typically) with surreptitiously installed software that he can control remotely. The tremendous power behind a Distributed Denial of Service attack is in the attacker’s ability to spend long periods of time installing software agents in dozens or hundreds of compromised networks and then launching an attack against a target simultaneously from all these sources. There’s not much you can do to prevent your customer’s network from being compromised, but a source filter can block an attack launched by a remotely controlled DDoS agent installed in the network.
Source filtering a customer’s network is simply a matter of allowing packets with source addresses belonging to the customer’s prefixes and denying packets with any other source address.
But what about those occasional customers whose prefixes change regularly? And what about peering partners and upstream service providers, who send you a large and dynamic set of prefixes? Is there anything you can do to block spoofed packets at your connections to those networks? I’ll write about that in the next post.