BCP38: How to only use it for incoming traffic?

As the title says ...

BCP38 is all about having your firewall drop packets intended for the internet (so egress/outgoing only) that have a source address that is not downstream of your router. So it will not do anything for ingress traffic anyway... I would guess you either need to diasble bcp38 or adjust the configuration. The default configuration is a sane default, so think hard why you think you need to change/disable it in the first place....



Adjust the following to your use case:

1 Like

BCP38 only checks outgoing packets ? You Sure ? how does it stop Ddos and spoof attacks?

@moeller0 @lleachii

Pretty sure.

Read this: http://www.bcp38.info/index.php/Main_Page
in short it does not work by making ddos TO your network harder (it can not) but by making it harder/impossible for devices in your network to use spoofed source addresses. So, machines in your network are less likely to participate in ddos attacks.


It helps preventing your devices being used to attack others, but is not related to incoming traffic from outside


  1. It doesn't help me but the internet ?

  2. Are there attacks where attacker on LAN uses spoofed IP ?

@moeller0 @hnyman @lleachii


Yes. DDOS for one.

Loaded question... but yes the immediate utility is not in the side of your network, but the internet. This is a tiny bit like a general speed limit on roads, individual drivers likely wou
d reach their destinations quicker/earlier, but the general speedlimit makes driving safer for everyone... note car/traffic analogies are always a bit off for networking...

Except Ddos ? Any kind of remote access or MIMT ?

Are there attacks where attacker sends malicious packets pretending to be from from popular website and some packets eventually gets accepted by victim ?

It is possible to use BCP38 to stop it ?

@moeller0 @hnyman @lleachii

If this is a rewording of your original question, the answer is still no. BCP38 doesn't operate on incoming traffic.

1 Like


You have already been answered several times that bcp38 protects others by preventing certain source address spoofing in your outgoing traffic.

1 Like

The only way to stop a DDOS attack is to have a bandwidth larger than the combined bandwidth of all the nodes attacking you, either because you have a faster connection, or because you use an intermediate node, with a faster connection. There is nothing you can do on your end, to prevent a DDOS attack.

However, once all networks practice bcp38 source address sanitation a whole class of attack vectors are taken out of the game.
The thing behind source port spoofing is that it allows indirect attacks, where a botnet makes DNS requests with the victims ip address as spoofed source address, the DNS servers will then send as many requests as the botnet requested to a single ip address. Compared to a direct attack from the botnet this is especially tricky to remedy, as the attack packets do not carry any trace of which ip addresses actually initiated the attack.

I don't understand the question.