broken network cable

The Spoof Is Still In The Pudding

broken network cable‘Dear friend, I’m in terrible trouble in Ukraine, please help me’ — many of us have received similarly worded, pleading emails from friends we’ve known for years. But of course, it’s a phishing email from someone else — someone who’s hacked your friend’s mail account, copied all the contacts and then spoofed the email address — to grab your attention and solicit your financial support. You may also work in a company that has been hassled by Denial of Service (DoS) attacks on its website, where the attacker uses your company’s IP address to send a short request to a DNS server, which then responds with a massively bigger response that overwhelms your systems, and renders your web site inaccessible (a so-called DNS amplification attack). Oh, and it may hit your phones too (both voice calls and SMS), when telemarketers use VoIP calling to falsify the caller ID to make illegal cold calls to you at home in the evening.

While I fully respect individuals who wish to remain anonymous for privacy reasons, using a false sender’s address or phone number has no justification whatsoever. So, is anyone trying to stop this address faking scam?

The problems encountered when trying to stop this type of attack are numerous, and involve shortcomings in host software implementations, routing methodologies, and the TCP/IP protocols themselves. However, there are multiple technologies for restricting traffic from a downstream network to known, and intentionally advertised, addresses. With such blocking, the problem of source address spoofing can be significantly reduced. Multi-homed business users just need to have provable use of the different addresses.

However, while much technical effort has been invested over the past 25 years to stop the rot, the main issue remains that there is little service provider enforcement, leading to limited compliance.

The US Federal Trade Commission mulled over regulatory steps last year, but gave up. It was too difficult to tackle: ‘if the scammers use the Internet, we’ll never catch them’. Right after that, the US Congress buried the ‘H.R. 3670: Anti-Spoofing Act of 2013’ proposal in the Energy & Commerce Committee from whence no one ever expects it to reappear.

The Internet Engineering Task Force (IETF) has set up a Working Group on Source Address Validation Improvements (SAVI). Apart from the incredible annoyance and outright theft from individuals and companies perpetrated by spoofers, SAVI has found it difficult to actually create a viable business case for anti-spoofing in the global ISP context. This is partly because Service Provider A, who blocks spoofing on all interfaces to other networks, is not himself less vulnerable to spoofing attacks from Service Provider B’s networks that do not block the spoofing aimed at A’s network. It just ensures that network A is not used as a launch pad for such attacks. Another reason for the lack of ISP blocking effort is that any incurred loss (such as an inaccessible e-commerce site) is not a loss for the ISP, but for the end user. Yet it is the ISP who has to fund the additional filtering technology.

In markets where there is a recognized revenue loss for content providers, notably digital cable-TV networks, where theft of service by cloning a MAC address on a cable modem is similar to spoofing IP addresses on the web, the problem was addressed several years ago, with a mechanism for validating source IP addresses included in the DOCSIS 3.0 (the Data-Over-Cable Service Interface Specifications version 3) standard. SAVI is now working to port this source address verification procedure to all kinds of networks independent of any connected host functionality.

Clearly, the way forward is for ICANN (The Internet Corporation for Assigned Names and Numbers) to make the business case very clear for ISPs who can’t be bothered to invest in the filtering that would stop a very large percentage of the spoofing traffic. Specific recommendations could start with requiring network operators to implement and publicly disclose their network ingress filtering to restrict packet-level forgery to the greatest extent possible. Non-compliance could result in loss of customers, or being excluded from essential peering arrangements. We, in the Internet community can also quit ISPs that are unwilling to block spoofing — that might incentivize the laggards.

About the author
Bernt Ostergaard