RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
Network Working Group: P. Ferguson, D. Senie
Request for Comments: 2827
Obsoletes: RFC 2267
BCP: 38
Category: Best Current Practice
Organizations: Cisco Systems, Inc. / Amaranth Networks Inc.
Date: May 2000
Status of this Memo
This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
Recent occurrences of various Denial of Service (DoS) attacks which have employed forged source addresses have proven to be a troublesome issue for Internet Service Providers and the Internet community overall. This paper discusses a simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point.
Contents
- 1. Introduction
- 2. Background
- 3. Restricting forged traffic
- 4. Further capabilities for networking equipment
- 5. Liabilities
- 6. Summary
- 7. Security Considerations
- 8. Acknowledgments
- 9. References
- 10. Authors' Addresses
- 11. Full Copyright Statement
Quick Links
- Official RFC:
https://www.rfc-editor.org/rfc/rfc2827.txt - Datatracker:
https://datatracker.ietf.org/doc/html/rfc2827