RFC 2267 (rfc2267) - Page 1 of 10
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
Alternative Format: Original Text Document
Network Working Group P. Ferguson
Request for Comments: 2267 Cisco Systems, Inc.
Category: Informational D. Senie
BlazeNet, Inc.
January 1998
Network Ingress Filtering:
Defeating Denial of Service Attacks which employ
IP Source Address Spoofing
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1998). All Rights Reserved.
Abstract
Recent occurrences of various Denial of Service (DoS) attacks which
have employed forged source addresses have proven to be a troublesome
issue for Internet Service Providers and the Internet community
overall. This paper discusses a simple, effective, and
straightforward method for using ingress traffic filtering to
prohibit DoS attacks which use forged IP addresses to be propagated
from 'behind' an Internet Service Provider's (ISP) aggregation point.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2
2. Background . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Restricting forged traffic . . . . . . . . . . . . . . . . 5
4. Further capabilities for networking equipment. . . . . . . 6
5. Liabilities. . . . . . . . . . . . . . . . . . . . . . . . 6
6. Summary. . . . . . . . . . . . . . . . . . . . . . . . . . 7
7. Security Considerations. . . . . . . . . . . . . . . . . . 7
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . 8
9. References . . . . . . . . . . . . . . . . . . . . . . . . 8
10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . 9
11. Full Copyright Statement . . . . . . . . . . . . . . . . . 10
Ferguson & Senie Informational
