FAQs on Preventing Network Spoofing
- Published on Thursday, 13 March 2014 12:29
Computers and other devices connected to the Internet use IP (Internet Protocol) addresses to establish end-to-end communications. Most devices use a single IP address, though some have several. Successful communication relies on both the source and destination addresses being encoded in packets sent between the systems to enable two-way interactions. Thus, your packet has the destination address, as well as the return (source) address, much like a letter.
Many network attacks make use of the ability to "spoof" or "forge" the source IP address in a packet. By using this forged source address, it can make it difficult or impossible to trace the source of an attack. In addition, this can be used to take down networks in large-scale Distributed Denial of Service (DDoS) attacks where many computers are told to send a response to the forged source address.
Unfortunately, the Internet's architecture does not prohibit source address spoofing by default; network operators are relied upon to do so.
Since each device on the Internet should be assigned a given IP address, rules and configuration settings on the source network must be used to ensure that that device cannot send packets with a source address that was not assigned to it. Proper configuration and policy that effectively block IP spoofing go a long way to cutting down on the avenues available for abuse and attack on the network. This recommendation has been enshrined by the Internet engineering community as Best Current Practice #38, or BCP38 for short, and published by the IETF (Internet Engineering Task Force) in its Request For Comments (RFC) document series as RFC2827.
Comcast's Efforts to Prevent IP Address Spoofing
Comcast implements "source address filtering" or "source address validation" as a basic technique to prevent IP address filtering. As a result, we implement BCP38/RFC2827 in our network.
To do this in our subscriber network we use one of two techniques: a technique known as Unicast Reverse Path Forwarding (uRPF) verification, and implementation of DOCSIS Source Address Verification (SAV). Using these techniques our customers are prevented from sending traffic with spoofed IP addresses through their cable modems. uRPF is described in RFC3704 and SAV is described in Section 9.6 of the DOCSIS 3.0 standard's security specifications. Using these methods, customers are prevented from sending traffic with spoofed IP addresses through their cable modems.
Although Comcast does its best to prevent IP address spoofing, there are situations where applying uRPF checking is not feasible or practical. This includes services for some commercial customers that have multiple Internet service providers, known as multi-homing. In cases such as these, Comcast can and does provide guidance to such customers so that they can effectively implement uRPF or similar checking within their own networks. BCP84/RFC3704, elaborates further on these cases.
The Internet Community
Implementation of techniques to prevent IP address spoofing can be thought of as an "environmental benefit" for the Internet.
When implemented by Comcast or another network operator, these measures don't only or even primarily benefit that operator's customers. Rather, they benefit the broader community by plugging security holes in the Internet, and preventing more widespread DDoS attacks that leverage spoofing. The broader the uptake of these techniques, the greater the improvement overall and the safer we all become on the Internet.
The FCC Communications Security, Reliability, and Interoperability working group is also working to improve this in the U.S. The FCC's CSRIC has studied this issue in the past and continues to do so.
Since Comcast prevents IP address spoofing and supports BCP38, what benefits does this have for the rest of the Internet?
Our techniques help limit malicious traffic that could otherwise come from Xfinity Internet customers, destined to or targeted at other Internet networks or servers. As a result, any attack launched from a Comcast subscriber will have the true IP address of the subscriber's cable modem and as such can be rapidly traced back and mitigated. As such it is not possible to use a Comcast residential Internet customer as an originating source for distributed denial of service (DDoS) attacks that use IP address spoofing to conceal the addresses of computers used in those attacks, such as a recent DNS amplification attack against an anti-spam organization or a recent NTP amplification attack against a content delivery network (CDN).