With the When spammers go to war: Behind the Spamhaus DDoS, DDoS (Distributed Denial of Service) attacks have been discussed widely on a number of news and technical blogs.

While discussion has been greatly overzealous in some cases concerning this specific attack, the fact that this is preventable creates concern among many network professionals that we are not doing enough to inform people of the dangers.

The attack used on Spamhaus had used two vulnerabilities that exist on at a number of small businesses to medium sized businesses as well as larger providers.  The first and easiest at least in term of implementation is regulating open DNS resolvers.  CYMRU has an easy to follow guide on both BIND and Microsoft’s server on their website:


By limiting open recursive DNS servers on the internet, we will simply stop one type of attack however.  The root cause of the attacks is from IP Spoofing attacks, which can be a bit more difficult to implement. Network Ingress Filtering has been considered a best current practice since May of 200, and is listed at the IETF’s website here:

Network Ingress Filtering Defeating Denial of Service Attacks The most common way to implement

BCP38 is through unicast reverse packet forwarding (uRFP) in most commercial routers with up to date firmware.  This is mainly used when the router has a single connection to the internet.  When you have multiple connections however, traffic can return from different paths so design considerations should be made on where to implement BCP38.

For more information and actual implementation, I would suggest checking What’s BCP38?.  At the current time the site is not complete, but I suspect this will have the most up to date information on both planning and implementation.