3. Restricting forged traffic

The problems encountered with this type of attack are numerous, and involve shortcomings in host software implementations, routing methodologies, and the TCP/IP protocols themselves. However, by restricting transit traffic which originates from a downstream network to known, and intentionally advertised, prefix(es), the problem of source address spoofing can be virtually eliminated in this attack scenario.

                           11.0.0.0/8
                               /
                           router 1
                             /
                            /
                           /                       204.69.207.0/24
     ISP <----- ISP <---- ISP <--- ISP <-- router <-- attacker
      A          B         C        D         2
                /
               /
              /
          router 3
            /
        12.0.0.0/8

In the example above, the attacker resides within 204.69.207.0/24, which is provided Internet connectivity by ISP D. An input traffic filter on the ingress (input) link of "router 2", which provides connectivity to the attacker's network, restricts traffic to allow only traffic originating from source addresses within the 204.69.207.0/24 prefix, and prohibits an attacker from using "invalid" source addresses which reside outside of this prefix range.

In other words, the ingress filter on "router 2" above would check:

IF    packet's source address from within 204.69.207.0/24
THEN  forward as appropriate

IF    packet's source address is anything else
THEN  deny packet

Network administrators should log information on packets which are dropped. This then provides a basis for monitoring any suspicious activity.