主页地址  www.bcp38.info

This is BCP38.info .

What's BCP38?

BCP 38 is RFC 2827: Network ingress Filtering: Defeating Denial of Service Attacks Which employ IP Source Address Spoofing .

So this site is documentation that explains these attacks, and education that tells network operators how to configure their networks to prevent them.

What ??

Well, the gritty details are under those links, but in short, these are attacks launched across the Internet to take websites and other services off the air, often utilizing 'bots' on home and business PCs which the owners do not even know are there.

How do they get away with that?

DoS Attacks, and even nastier cousins ​​Their Distributed Denial Of Service Attacks , are enough to Deal with Hard, BUT if the packets have Forged Attack Which of comprise the source IP Addresses , it not only BECOMES Harder to stop the Attack, it Also BECOMES Impossible to determine where it's actually coming from.

Can we fix that?

The Solution to this problem, Described in RFC 2827 , Which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to Block IP packets Entering the Internet have source Which IP Addresses Which are Forged - IP Addresses That Were not assigned to the device which is sending them.

There are a Small Number of Situations in Which SUCH packets are not fraudulent, BUT That percentage is Small enough to be handled with Manual exceptions, even in an Environment where SUCH packets are otherwise blocked at Their source - the 'ingress Filtering' MENTIONED in the title of the RFC.

Is not that complicated?

In General: no . BCP38 Filtering to Block THESE MOST Easily handled packets is right at the very Edge of the Internet: where Customer Links terminate in the first piece of Provider 'aggregation' Gear, like a router, DSLAM, CMTS or Much to. most of this gear already has a 'knob' which can be turned on, which simply drops these packets on the floor as they come in from the customer's PC.

So why do not people do it?

. Many different reasons Some people do not know they can; some do not know they should; some purposefully think they should not.

In almost all cases, for almost all networks, the answer is actually "yes, you should, and no, it's not really hard." We'll cover that in much more detail inside this website. 

The purpose of this website is to:

explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that is not expected

give some examples of why this might happen legitimately and because of bad actors

show what the results can be and how ingress filtering could have made them easier to mitigate, and

tell network operators in detail

why they should implement BCP38

how to implement it

how much - if anything - it will cost

what collateral damage it may cause

and (most importantly) how to sell it to their bosses.

Setting up in our Goal is to make BCP38.info Clear That there's a problem, explain What the problem is, and Give you advice on MEDICINE What you CAN do to Help Solve it .