The world would have been almost without DDoS if spoofed packets were blocked at their source. BCP 38 has been proposed since the year 2000 but has not been widely implemented because of costs and complexity of implementation. Since outbound DDoS is no one’s problem, most people do not spend money and time on solving it. It’s only when the service starts getting interrupted with inbound DDoS that it becomes a serious issue.

Until very recently, you would need a carrier-grade router to implement BCP 38. And, obviously, the performance takes a hit when you install the filters required for implementing the policies.

Additionally, in your toolchest, you need the ability to block incoming attacks from:

  • Any number of configured IPs and prefixes
    • Help
  • Any number of configured geo-locations

Local Address Anti-Spoofing in FortiDDoS

With the release of Version 4.1.6, FortiDDoS now supports implementing BCP 38 easily. Here are the highlights:

  • No performance implication
  • The appliance performance does not degrade - no matter how many IPs you define in your local address space
  • Large number of local address ranges
  • You can define IPv4 addresses down to /32
  • Simple policies for given local addresses - you can choose any or all of the following policies:
  • Inbound source must not be local address
  • Blocks inbound packets that have a source address inside the network. The source address is definitely spoofed.
  • Inbound destination must be local address
  • Blocks inbound packets that do not have a destination in your network. The destination address is illegitimate.
  • Outbound source must be local address
  • Blocks outbound packets with a spoofed address. Reduces the risk of your network being used in spoof attacks.
  • Outbound destination must not be local-address
  • Blocks outbound packets with a destination inside your local network.
  • Large IPv4 Address Access Control Lists

With the release 4.1.6, FortiDDoS now supports blocking any IPv4 address among the 2^32 or 4 billion IP addresses. You can block them as individual IPs or as sets of prefixes. Since this is implemented in hardware, there is absolutely no penalty in performance of the appliance.

Large Geo-Location (IPv4) Access Control Lists

With the release 4.1.6, FortiDDoS also now supports blocking any geo-location by name. Geo-location is converted to an IP address range and blocked. Again, this is implemented in hardware, creating absolutely no degradation in appliance performance.

What all of this means is that administrators now have unprecedented control over traffic that could potentially signal a DDoS attack, whether unwittingly generated on their own networks or coming from anywhere (or everywhere) else in the world.