BCP38: How to only use it for incoming traffic?

RSHARM · August 12, 2023, 11:50am

As the title says ...

moeller0 · August 12, 2023, 12:00pm

BCP38 is all about having your firewall drop packets intended for the internet (so egress/outgoing only) that have a source address that is not downstream of your router. So it will not do anything for ingress traffic anyway... I would guess you either need to diasble bcp38 or adjust the configuration. The default configuration is a sane default, so think hard why you think you need to change/disable it in the first place....

lleachii · August 12, 2023, 12:19pm

Adjust the following to your use case:

Syn flood protection for FORWARD?

BCP48 requires a responsible party (as I recall an AS), to prevent the traffic from egressing their AS. The traffic is allowed within the AS. Your rule is not valid to the BCP38 use case.

config ipset                                
        option name 'bogons'                  
        option match 'src_net'    
        list entry '0.0.0.0/8'            
        list entry '10.0.0.0/8'               
        list entry '100.64.0.0/10'
        list entry '127.0.0.0/8'           
        list entry '169.254.0.0/16'           
        list entry '172.16.0.0/12' 
        list entry '192.0.0.0/24'          
        list entry '192.0.2.0/24'   
        list entry '192.168.0.0/16'
        list entry '198.18.0.0/15'         
        list entry '198.51.100.0/24'   
        list entry '203.0.113.0/24'
        list entry '224.0.0.0/4'           
        list entry '240.0.0.0/4' 

config rule                                   
        option name 'Drop_Bogons_From_WAN'
        option family 'ipv4'               
        option proto 'all'             
        option src 'wan'                  
        option dest '*'                     
        option ipset 'bogons'           
        option target 'DROP'

RSHARM · August 12, 2023, 5:37pm

BCP38 only checks outgoing packets ? You Sure ? how does it stop Ddos and spoof attacks?

@moeller0 @lleachii

moeller0 · August 12, 2023, 5:43pm

Pretty sure.

Read this: http://www.bcp38.info/index.php/Main_Page
in short it does not work by making ddos TO your network harder (it can not) but by making it harder/impossible for devices in your network to use spoofed source addresses. So, machines in your network are less likely to participate in ddos attacks.

hnyman · August 12, 2023, 5:44pm

It helps preventing your devices being used to attack others, but is not related to incoming traffic from outside

http://www.bcp38.info/

RSHARM · August 12, 2023, 6:54pm

It doesn't help me but the internet ?
Are there attacks where attacker on LAN uses spoofed IP ?

@moeller0 @hnyman @lleachii

krazeh · August 12, 2023, 7:09pm

Yes

Yes. DDOS for one.

moeller0 · August 12, 2023, 7:19pm

Loaded question... but yes the immediate utility is not in the side of your network, but the internet. This is a tiny bit like a general speed limit on roads, individual drivers likely wou
d reach their destinations quicker/earlier, but the general speedlimit makes driving safer for everyone... note car/traffic analogies are always a bit off for networking...

RSHARM · August 12, 2023, 7:28pm

Except Ddos ? Any kind of remote access or MIMT ?

RSHARM · August 12, 2023, 7:34pm

Are there attacks where attacker sends malicious packets pretending to be from from popular website and some packets eventually gets accepted by victim ?

It is possible to use BCP38 to stop it ?

@moeller0 @hnyman @lleachii

krazeh · August 12, 2023, 7:38pm

If this is a rewording of your original question, the answer is still no. BCP38 doesn't operate on incoming traffic.

hnyman · August 12, 2023, 7:40pm

No.

You have already been answered several times that bcp38 protects others by preventing certain source address spoofing in your outgoing traffic.

eduperez · August 12, 2023, 7:54pm

The only way to stop a DDOS attack is to have a bandwidth larger than the combined bandwidth of all the nodes attacking you, either because you have a faster connection, or because you use an intermediate node, with a faster connection. There is nothing you can do on your end, to prevent a DDOS attack.

moeller0 · August 12, 2023, 8:14pm

However, once all networks practice bcp38 source address sanitation a whole class of attack vectors are taken out of the game.
The thing behind source port spoofing is that it allows indirect attacks, where a botnet makes DNS requests with the victims ip address as spoofed source address, the DNS servers will then send as many requests as the botnet requested to a single ip address. Compared to a direct attack from the botnet this is especially tricky to remedy, as the attack packets do not carry any trace of which ip addresses actually initiated the attack.

lleachii · August 12, 2023, 8:20pm

I don't understand the question.