Q: What are anti-spoofing filters?
A: Anti-spoofing filters are IP access-lists configured on PenTeleData core routers that are designed to prevent PenTeleData customers from sending IP traffic with a source address that was not explicitly assigned to that customer (spoofing). For example, if a cable modem customer's IP address is 22.214.171.124, and he sends traffic to the Internet with a source address of 10.0.0.1, he is spoofing that traffic.
Q: Why does PenTeleData implement these filters?
A: Spoofing is a common way for malicious activity to be disguised on the Internet. It is used to mask the real source of traffic or to impersonate another user by assuming the IP address of their computer. Implementing anti-spoofing filters helps us to ensure that if malicious activity is carried out on the PenTeleData network, we can always track it back to its source.
Q: How is PenTeleData implementing anti-spoofing filters?
A: First, PenTeleData is using a technology called Reverse Path Forwarding (RPF). RPF performs a test on every packet we receive from a customer to ensure that that packet is coming from an IP address that was explicitly assigned to that customer. If the packet fails the test, it is logged and discarded. Second, PenTeleData uses standard Access Control Lists to filter traffic based on its source and destination IP addresses.
Q: What implications do these filters have to me?
A: If a user is not generating traffic from an IP address that was not explicitly assigned to the user by PenTeleData, then the filters will be completely transparent to that user. However, in some circumstances, a network may be operating asymmetrically. This type of network operation will require special exceptions to be made to PenTeleData's anti-spoofing filters.
Q: What is asymmetrical routing and how is it affected by anti-spoofing filters?
A: Asymmetric routing occurs when an IP packet can leave via one network connection, but have its response return via a separate connection. Normal anti-spoofing filters rely on the fact that traffic generally enters and leaves a customer's network via the same connection. In some cases, such as with dual-homed customers or customers using a satellite feed, their traffic will behave asymmetrically. In this case, the customer must contact PenTeleData to arrange for their anti-spoofing filters to be modified to allow this network behavior. Please note that exceptions to our anti-spoofing rules will only be made for dedicated, hi-capacity, commercial Internet users.