Fewer than 20% of networks in Latin America, the Caribbean are vulnerable to inbound IP spoofing

Robbie Mitchell
Twitter logo
LinkedIn logo
Facebook logo
February 6, 2023

A recently published study by LACNIC CISRT shows that fewer than 20% of networks in Latin America and the Caribbean regions are vulnerable to inbound IP address spoofing.

IP address spoofing, or IP spoofing, refers to the act of modifying IP packets so that it appears they come from another source. Mallicious actors use this technique to launch attacks, including Distributed Denial of Service attacks, NSNXAttacks and DNS cache poisoning, under the guise of a familiar or seemingly trusted source address.

Source Address Validation (SAV) is an effective way to mitigate IP spoofing. Best Current Practices, recommend that network operators use SAV to filter both inbound and outbound traffic.

Inbound and outbound filtering is high

The study, which used active data sources to provide relevant information on the status of IP spoofing in the region, showed that fewer than 20% of networks in the region are vulnerable to inbound (traffic entering a network) IP spoofing (Figure 1).

Figure 1 — Percentage of /24 IPv4 networks vulnerable to inbound IP spoofing by country. Source: The Closed Resolver Project, 17 October 2022

Brazil, Chile, French Guyana, Peru, Uruguay, and Suriname were found to have the lowest percentage of networks vulnerable to inbound IP spoofing, while Guyana, Paraguay, and Venezuela have the highest percentage.

Out of the 3,082 IP blocks evaluated in the region, 84.4% implement outbound SAV.

How to Determine Whether Your Organization Implements SAV

The study offers several recommendations to assist organizations with detecting and mitigating IP spoofing, including:

  • Assessing the status of inbound and outbound SAV in assigned resources.
  • Implementing inbound and outbound SAV.
  • Testing and implementing best practices, including the MANRS Anti-Spoofing Implementation Guide.

A quick way to determine whether your organization is properly implementing inbound and outbound SAV is to have your network operator test if the following situations are possible.

  • Inbound IP spoofing: send traffic with source IP addresses that are part of the IP address blocks assigned to your organization from the Internet to the organization.
  • Outbound IP spoofing: send traffic with source IP addresses that are part of the IP address blocks assigned to the organization from the organization to the Internet.

Refer to the study report for how to do this if you’re not familiar.

Implement Anti-Spoofing to Secure the Internet

LACNIC CSIRT plans to continue to monitor the application of filters on inbound and outbound traffic and work directly with LACNIC member organizations to to understand the problem of IP spoofing and increase the application of anti-spoofing techniques.

Learn more about anti-spoofing.

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of the Internet Society.