RFC 2827 (rfc2827) - Page 1 of 10
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
Alternative Format: Original Text Document
Network Working Group P. Ferguson
Request for Comments: 2827 Cisco Systems, Inc.
Obsoletes: 2267 D. Senie
BCP: 38 Amaranth Networks Inc.
Category: Best Current Practice May 2000
Network Ingress Filtering:
Defeating Denial of Service Attacks which employ
IP Source Address Spoofing
Status of this Memo
This document specifies an Internet Best Current Practices for the
Internet Community, and requests discussion and suggestions for
improvements. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
Recent occurrences of various Denial of Service (DoS) attacks which
have employed forged source addresses have proven to be a troublesome
issue for Internet Service Providers and the Internet community
overall. This paper discusses a simple, effective, and
straightforward method for using ingress traffic filtering to
prohibit DoS attacks which use forged IP addresses to be propagated
from 'behind' an Internet Service Provider's (ISP) aggregation point.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2
2. Background . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Restricting forged traffic . . . . . . . . . . . . . . . . 5
4. Further capabilities for networking equipment. . . . . . . 6
5. Liabilities. . . . . . . . . . . . . . . . . . . . . . . . 6
6. Summary. . . . . . . . . . . . . . . . . . . . . . . . . . 7
7. Security Considerations. . . . . . . . . . . . . . . . . . 8
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . 8
9. References . . . . . . . . . . . . . . . . . . . . . . . . 8
10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . 9
11. Full Copyright Statement . . . . . . . . . . . . . . . . . 10
Ferguson & Senie Best Current Practice