uRPF – Prevention of IP SRC spoofing inside AS (BCP38)

In today world the strongest DDOS are amplification attacks. They use UDP based services. There 2 steps of the attack. First – attacker finds wrong configured servers on public Internet. The second step is that PC with malware sends to these servers small UDP packets with changed IP address. In IP SRC field of the packet is put IP address of the target. So, server sends large packet as an answer, but sends it to address of the victim. Because answer is several times larger than a request the attack is called amplification.

DNS, NTP, SNMP is easy to misuse. Here are examples:
DNS
We can send a request ANY
dig google.com @8.8.8.8 ANY – we are requesting all entries under the domain google.com. 8.8.8.8 – is IP of the DNS server.
The request itself is 68 bytes. But the answer is around 500 bytes. It is 10 times more.
Prevention on server side is to deny requests from the Internet to your DNS server. But if you provide public DNS which should be available from the Internet, then you have to rate limit requests to DNS from outside.
In case of Bind it is –
options { directory "/var/named"; rate-limit {
responses-per-second 5; log-only yes; }; };

NTP
NTP attacks use monlist command of NTP, it helps in getting large answers.
$ ntpdc -n -c monlist 195.44.23.11 (IP of a NTP server)
Again the best security is not allowing outside IPs to request NTP on your server. Or if you work on Linux, it’s enough to upgrade up to the latest version (june 2015) and monlist feature is removed there. You can also deny it in configuration :

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
– Don’t forget about IPv6 queries

SNMP
Simple command snmpwalk 195.44.23.11 will send you back even kylobytes of answer.
The best security is to use SNMP version 3 with authentication and don’t allow request from outside.

OK, but there are still many admins installing servers without knowing these issues or some of them simply forget to block UDP services, or there is also mallware which can act as UDP server. We as ISPs can block even attempt to make such attacks with blocking packets with changed IP SRC leaving our network. It can be done two ways, first – on ACL on border router or with uRPF.

1a. ACL cisco
we can put on uplink direction out rule to disable IP traffic from all ranges, which are not ours:
Router(config)#ip access list extended BCP38
Router(config-acl)#permit ip 109.205.240.0 0.0.3.255 any
Router(config-acl)#permit ip 109.205.244.0 0.0.3.255 any
Router(config-acl)#deny ip any any
Router(config)#interface fa1/1
Router(config-int)#ip access-group BCP38 out

1a. Firewall Mikrotik
ip firewall filter add action=drop chain=forward disabled=yes out-interface=ether1-gateway src-address-list=!OUR_BLOCKS

2.a uRPF Cisco
uRPF is a better solution, because we don’t have to maintain ACLs or Filters. Router is checking always if IP SRC is comming from the network which exists in routing table (IP cef FIB in cisco). If not, packets are discarded. There are 2 modes – loose and strict. Loose is checking just a routing table and if IP SRC is part of the network which is in FIB, it sends the packets even if port in route is not the same as port where packet came from. Strict mode also verifies the port where packet came from. If FIB and port match, then packet is forwarded, if not then packet is discarded.
It’s better to deploy uRPF L3 device closest to customer. If we deploy it on BGP routers only, still IP spoofers can attack our AS from inside.

Router(config) access-list 101 deny ip any any log
Router(config)#interface fa0/1
Router(config-int)#ip verify unicast reverse-path reachable-via rx 100
– Strict mode
Router(config-int)#ip verify unicast reverse-path reachable-via any 100 – Loose mode

2.b uRPF Mikrotik
ip settings set rp-filter=loose
or
ip settings set rp-filter=strict