I'm under the impression that if all the ISPs were required to filter on the source IP address of all outbound packets, that spoofing would be reduced considerably.
- Are any ISPs implementing this practice?
- Should they?
I'm under the impression that if all the ISPs were required to filter on the source IP address of all outbound packets, that spoofing would be reduced considerably.
One of the main issues is with fast switching at the core routing level. A long time ago when I was a Cisco Engineer, the cisco core routers could fast switch very effectively and provide minimal latency, but if you wanted to source filter then this would turn off fast switching and add hugely to the latency - No ISP is going to be willing to have multiple seconds of latency when they like small numbers in the millisecond region.
One of the other issues can be around encapsulation. For example, if you are using an MPLS routed networks then you were unable to see inside of the packet to conduct source filtering.
Some ISP's are starting to come to the conclusion that preventing spoofing will save them money in the long term. We find them now starting to lump anti spoofing along with anti DDoS in terms of things which will cost them money in the short term, but will lighten their network load and be able to be sold as value add in the longer term.
The infrastructure and team required to configure this is where the main cost lies. There would have to be analysis as to which addresses might be required for valid spoofing (although this could be much less of an issue in reality) and the effort required to configure and maintain every router (or at least those at the edge) is pretty high.
It potentially becomes more of a challenge (just in terms of scale) with IPv6, as IPv4 will also be around for a long time.
Probably makes more sens for them to ignore IPv4 anti-spoofing, and start to build it into their v6 edge rollout.
I realise this is a very old question, but I think there's some relevant additional info to share. You're correct that IP spoofing is a big source of problems on the internet, mostly because of DDoS attacks using UDP.
ISP's should implement anti-spoofing. IETF's BCP38 (written in 2000!) describes a best practice for networks to do network filtering filtering to reduce spoofing and thus prevent DDoS atacks, but unfortunately(?) there is no global authority which can force them to do so.
As others pointed out, costs of implementing it may be a reason not to do so. Lower revenues could be an argument as well for some networks: not forwarding traffic means sending lower bills to customers, so it can be a business decision not to filter.
However, in the pas few years a growing number of ISP's have pledged to implement controls described in MANRS ("Mutually Agreed Norms for Routing Security "). One of the controls mentioned there is anti-spoofing. MANRS offers networks an extensive guide on implementing anti-spoofing in various ways in all kinds of setups with all sorts of equipment.
Although spoofing still offers problems, more and more networks implement controls because they do realize they need to be sure they're not part of the problem. However, I'm sure that there will always be a fair number of networks who will not follow MANRS for various reasons, and also that there is a small number of networks who are willingly not filtering as a business model (and thus attracting more and more abuse). The only way to solve that, will be for all large (tier 1) networks to implement strict filtering, so that it becomes harder for these malicious networks to get their spoofed traffic routed across the internet.
Basic answer: cost. Doing so does nothing to protect their own network but does add additional cost in the form of maintenance overhead, and routing overhead. Because spoofed addresses outgoing won't really affect them, there is
IP traceback is a name given to any method for reliably determining the origin of a packet on the Internet. Since the source IP address of a packet is not authenticated. The problem of finding the source of a packet is called the IP traceback problem. IP Traceback is a critical ability for identifying sources of attacks and instituting protection measures for the Internet. There are number of techniques proposed most popular are