Why can’t ISPs block spoofed packets?

Posted on Jun 20 2014 - 1:39pm by Contributing Writer

By Hemant Jain, Fortinet

It’s no secret that most DNS reflection attacks flooding the Internet today are caused by spoofing the source address. SYN floods, for example, are spoofed TCP floods, in which the source of the IP packets appears to be different than their actual origin. And according to industry statistics, SYN floods are the second most popular DDoS infrastructure attack vector, comprising around 15 percent of all attacks.

Similarly, UDP and ICMP floods are attacks that are also easily spoofed. UDP floods, in fact, represent the highest percentage of protocols used for DDoS attacks, hovering at around 30 percent.

The same is true for cloud data centers that house numerous Internet-facing servers. If these servers are compromised, they too can send spoofed packets.

Now, if these kinds of attacks are so serious, one would think that ISPs would simply stop them at the source. All ISPs know their customers’ network addresses and in theory, can easily enforce anti-spoofing policies on all packets.Smurf_01

Also, while ISPs may not typically be the primary targets of an attack, it’s certainly within the realm of possibility. Among other things, the benefit to ISPs would include reduced bandwidth and related costs, as well as having imminent threats filtered out by other ISPs. Ideally, the benefits would be enough to compel an increase in social cooperation and collective responsibility throughout the industry.

In short, if all ISPs regularly blocked spoofed packet egress from their network to their peers, the world would be a safer and more peaceful place.

READ:  'Exciting future ahead in the field of design technology'

Then why don’t they do it? Well, for several reasons.

The primary reason is related to the architecture of the Internet routers. High speed routers that face the Internet are designed to forward packets with the lowest latency. In a sense, it would be like requiring car registration verification for every car on the freeway entrance – a move that would potentially bring traffic to a standstill.

Likewise, unless ISPs implement more expensive routers, Internet traffic would almost definitely experience severe latency if anti-spoofing was conducted at the edge.

Additionally, the effort requires provisioning every router with its own anti-spoofing list, which in turn, makes the security process specific to every router. Not surprisingly, this also increases costs while further complicating centralized management.

There is, of course, a beacon of light in this dim tunnel. Fortinet’s FortiDDoS protects from such spoofed packets via its hardware anti-spoofing engine for TCP as well as numerous granular controls available for other protocols.

But until the cloud data centers and ISPs figure out a strong and plausible economic business case for anti-spoofing at egress and ingress respectively, the customers will need to rely on 3rd party solutions to mitigate DDoS attacks.

Related Posts

Security expert warns of mass attacks on online ba... Kaspersky Lab has recorded several thousand attempts to infect computers used for online banking with a malicious program that its creators claim can ...
Fortinet’s pay-as-you-go firewall secures cl... Companies can now secure their cloud-based Web applications with a firewall that can be bought on an hourly or annual subscription basis. Fortinet ...
The most common malware classifications To help the public understand the different terms used in cyber security, security experts from Kaspersky Lab break down some of the most common malic...
Heartbleed bug affects mobile apps too, warns secu... The severity of the Heartbleed bug has led countless websites and servers scrambling to address the issue. And with good reason—a test conducted on Gi...
Internet of Things will transform the data center,... The deployment of Internet of Things (IoT) will generate large quantities of data that need to be processed and analyzed in real-time, thus it has a p...
Kaspersky security tool protects your money and yo... Kaspersky has launched in the Philippines the latest versions of the company’s security software for home Internet users. The Kaspersky Internet Se...
Malicious apps use Facebook accounts to spread RIP... The rise of “rest in peace” scam messages on social media sites continues, warns Symantec. Jackie Chan, Morgan Freeman, Will Smith, Keanu Reeves, and ...
Check Point appliance boasts fast data center secu... Key features of the Check Point 13500 * Boosted performance of up to 3,200 SPU.* 23.6 Gbps Firewall and 5.7 IPS throughput in real-life environments....
More data, more crimes: How can businesses detect,... Praveen Thakur, VP Technology ASEAN, Oracle Corporation Praveen Thakur, VP Technology ASEAN, Oracle Corporation Data security is today a more c...
Tips on how to improve your safety online For many of us, the Internet is an extension of how we live our lives every day. But sometimes the things we enjoy most online — share photos, pay bil...
About the Author

Leave A Response