Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Good Neighbors Know: Now is the Time for Source Address Validation

Source Address Validation Helps Ensure that a Resolver Only Receives Queries from Valid Source Addresses Before Sending Back Responses…

Source Address Validation Helps Ensure that a Resolver Only Receives Queries from Valid Source Addresses Before Sending Back Responses…

While all Internet security issues are reasons for concern, the recent DDoS attack on hit especially close to home since the company I work for (Afilias) is responsible for the back-end registry operations of the .ORG domain. While the attack ended well for SpamHaus, it made me more aware than ever that everyone can become a better Internet citizen.

One of the Internet’s greatest attributes is that it is, by and large, unregulated. For the most part, it functions well because most of us are good Internet citizens. And while good conduct is generally an effective means of governing the virtual world, occasionally something happens that underscores the importance of stepping up to our stewardship obligations.

The SpamHaus Attack

Internet Source Address Validation ResolversIn late March, as-yet-unknown cyberattackers targeted the website of SpamHaus, an international nonprofit whose mission is to track the Internet’s spam operations and to provide anti-spam protection for Internet networks. The attackers hit by leveraging open recursive resolvers. These resolvers are configured, usually by default, to exchange messages from any device without first verifying the authenticity of the sender’s address. Because of the configuration, a DDoS attack is generally easy to execute: the number of messages builds, slowly and quietly. If the build-up of messages goes unchecked, a cyberattack, like the one directed at SpamHaus, gathers momentum as the number of messages sent and received increases. Eventually, the target is overwhelmed and, as a result, disabled. In the SpamHaus incident, more than 100,000 open resolvers were used to orchestrate an onslaught that reached 300 billion bits per second, which makes it the largest attack of this type so far reported.

A Clear Case for Source Address Validation

While it’s tempting to blame open resolvers for the SpamHaus attack and end the discussion, that paints an inaccurate picture. Open resolvers make for an easy target, but they can be managed properly — as, for example, Google does — and made to comply with the best practices set forth in the IETF’s Domain Name System Operations Working Group paper, “Preventing Use of Recursive Nameservers in Reflector Attacks.” That said, Domain Name Servers provide an ideal system for the type of attack directed at SpamHaus. That’s because the accepted paradigm is that when a query comes in to a Domain Name Server, it’s responded to in good faith, according to the query’s stated point of origin. After all, a good citizen would give directions to someone who asked for them.

Domain Name Servers and open resolvers are symptoms. The real problem is that the practice of source address validation hasn’t been widely adopted. The implementation of source address validation would help ensure that a resolver only receives queries from valid source addresses before it sends back responses.

The term “source address validation” refers to a set of techniques that verify the validity of the source IP address in packets submitted to the Internet. In this case, ”valid” means that the source address is not assigned from a private address space and that it falls within a range of legitimately advertised prefixes for a given origin. (You can still be a good citizen and check the peephole to see who’s there before opening the door.)

I don’t believe that there is any single way to prevent the type of attack experienced by SpamHaus from reoccurring, but there are ways to dramatically decrease its likelihood. Source address validation tackles the issue of networks not filtering spoofed traffic. Without verifying the address of the source, spoofed traffic is allowed to leave the network … its source address is unverified. This is not good network neighborhood behavior.

Here is some advice to those in charge of the majority of Domain Name Servers that do not need to perform recursive queries: Turn off recursion. Simply put “recursion no” into the config file.

And for those that need to recurse for local clients? Be a good Internet citizen; restrict it to your own netblocks.

Good Citizenship

The biggest challenge to implementing source address validation is that there is no immediate benefit to be realized by those companies who do it. However, the stakes are higher than short-term returns. Until now, the Internet has governed itself and it has done a good job of it. If continued bad behavior is exhibited, the chances increase that governance of the Internet will be taken from Internet citizens and turned over to authoritative entities. So the onus to make the necessary adjustments to the infrastructure lies with all of us. I invite all ISPs to put good citizenship above all else and do their part toward making IP spoofing a thing of the past.

Related: Dutchman Arrested in Spain for ‘Biggest Ever’ Cyberattack

RelatedCyberattack Capable of Downing Entire Internet Is Unlikely

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...