A recently published study by LACNIC CISRT shows that more than 80% of networks in Latin America and the Caribbean regions are protecting themselves against inbound IP address spoofing.
IP address spoofing, or IP spoofing, refers to the act of modifying IP packets so that it appears they come from another source. Malicious actors use this technique to launch attacks, including Distributed Denial of Service (DDoS) attacks, NSNXAttacks, and DNS cache poisoning, under the guise of a familiar or seemingly trusted source address.
Source Address Validation (SAV) is an effective way to mitigate IP spoofing. Best Current Practices, recommend that network operators use SAV to filter both inbound and outbound traffic.
Inbound and outbound filtering is high
The study, which used active data sources to provide relevant information on the status of IP spoofing in the region, showed that fewer than 20% of networks in the region are vulnerable to inbound (traffic entering a network) IP spoofing (Figure 1).
Brazil, Chile, French Guyana, Peru, Uruguay, and Suriname were found to have the lowest percentage of networks vulnerable to inbound IP spoofing, while Guyana, Paraguay, and Venezuela have the highest percentage.
Out of the 3,082 IP blocks evaluated in the region, 84.4% implement outbound SAV.
How to Determine Whether Your Organization Implements SAV
The study offers several recommendations to assist organizations with detecting and mitigating IP spoofing, including:
- Assessing the status of inbound and outbound SAV in assigned resources.
- Implementing inbound and outbound SAV.
- Testing and implementing best practices, including the MANRS Anti-Spoofing Implementation Guide.
A quick way to determine whether your organization is properly implementing inbound and outbound SAV is to have your network operator test if the following situations are possible.
- Inbound IP spoofing: send traffic with source IP addresses that are part of the IP address blocks assigned to your organization from the Internet to the organization.
- Outbound IP spoofing: send traffic with source IP addresses that are part of the IP address blocks assigned to the organization from the organization to the Internet.
Refer to the study report for how to do this if you’re not familiar.
Implement Anti-Spoofing to Secure the Internet
LACNIC CSIRT plans to continue to monitor the application of filters on inbound and outbound traffic and work directly with LACNIC member organizations to understand the problem of IP spoofing and increase the application of anti-spoofing techniques.