BCP38 talks about flooding attacks and some simple ways of mitigating them. First it explains, how an attacker can target victims:
- by inundating a server with so many syn requests
- by spoofing the address of a legitimate host thereby causing the host to be black listed
- by inundating more than one host with syn-ack packets by spoofing IP addresses.
1 and 3 are somewhat related. The BCP (Best Current Practices) says that if routers have a very simple rule at their end to:
- Allow traffic originating from its known prefixes (i.e. SA of all the traffic is from known prefixes), then forward as usual
- Drop all the remaining traffic
then most of the source IP spoofing attacks can be mitigated. The DDoS attack of type 1 (mentioned above) can still happen, but since the source IP address cannot be spoofed or can be spoofed only to a limited extent (in the allowed range of prefixes), it will be easier to track down the source of attack. This “ingress traffic filtering” is best implemented at the edge routers of Internet.