Managing Network Security

Eliminating IP Address Forgery - 5 Years Old and Going Strong

by Fred Cohen

Series Introduction

Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.

I Told You So

You heard it here first. Way back in May of 1996 I wrote an article for the Internet Holes series titled "Eliminating IP Address Forgery" in which I discussed and demonstrated simple and efficient ways to eliminate IP address forgery. But it is only in the past few weeks that the Internet community has finally started to adopt these strategies on a large scale.

I don't know whether it was a side effect of my recent congressional testimony and rather pointed debate in that forum with the gentleman from Sprint - or a side effect of the recent increase in DCA denial of service attacks and the article I wrote on that for the last issue of this magazine - or perhaps it's something else entirely. But for some reason, in the last day, I have gotten two major notices - one from the SANS institute and one from the ICSA. The SANS article indicated details of doing router filtering (without proper citation of course) that follows fairly close to my 5-year old recommendation, while the NCSA is now giving away a product to detect cases where your part of the infrastructure is being used to forge addresses.

It seems that eliminating IP address forgery is now all the rage because it is now affecting enough people who are important enough to get the whole Internet to take action. And it is indeed gratifying to see this - despite the frustration I suffer over the lack of citation to my original paper on the subject and my firewalls course that has covered this subject in detail for the last five years.

Now What?

In looking back on some other more-than-five year old work, I am starting to see more and more of it adopted. I am now talking to an anti-virus company that is ready to start using integrity techniques because the cost of keeping up with the 80,000 new viruses per year is simply too high for the amount you can make on your anti-virus product in today's market. Lightning rods and deception systems similar to those used over the last ten years by those at AT&T and elsewhere are starting to be embraced. Even trusted operating systems are now being increasingly selected for commercial use, and they have been studied and funded by the NSA for more than 20 years.

Indeed, it seems that information protection technology is now only 5-10 years behind the research and development in the field, and while time to market has dominated the rest of IT for a long time now, it seems that the same notion has finally caught on in information protection. I can foresee the day when I will not have to wait more than 2-3 years between publishing a working defense and seeing somebody else adopt it as their own without citing me or even paying royalties. But we will get back to this in a moment.

Lacking Innovation?

I read a recent article that claimed that information security lacks innovation. To me this is a classic case of somebody who doesn't know what they are talking about saying something foolish. If we look at almost any aspect of information technology, we see the claim of massive innovation, but in reality, almost everything we see in IT today was available in a very similar form 15 years ago. There are some exceptions. For example the palm-top computer first existed only 10 years ago (the HPs have been around that long) and today there is a booming business.

There are, of course, small innovations that make an evolutionary difference in technology - such as the screens that allow the palm computers to operate on a pen-based interface - but touch screens and pen-based input have existed for more than 30 years. The technology is continuing to make many step-wise improvements, and the combination of these improvements do produce very substantial change - but innovation? Hardly.

In my view, and in a relative sense, information protection is not lacking in innovation, it is lacking in adoption of innovation. There are many reasonably good innovations that incrementally improve protection technology and, in the aggregate, they will have a very substantial effect. For example, network security management techniques, improved anomaly detection, the elimination of address forgery, the availability of programs that detect buffer overflows in software, deception-based detection and response, small and highly effective biometric devices, secure communications capabilities, improved firewalls, and new response technologies for collective defense are all examples of recent innovations that are moving into the market and having a substantial effect.

Why don't so many of our 'innovators' innovate?

We see supposed innovation being adopted by those who don't know enough to know that the same ideas were explored 15 years ago and were found inferior. But we see fewer of the really innovative solutions that avoid the historical pitfalls adopted - largely because of a mismatch between the people who really know the science and the folks who are driving the market.

While a lack of scientific understanding is not so important in selling the newest brand of toys, and you can be highly successful in the market with a scientifically inferior product (even if they products are equivalent from a standpoint of how well they will work in an organization), security products that are effective are rarely as sexy as those that you can market easily.

In the security field, the lack of strong education in support of the field, the lack of educated educators in the field, and the lack of respect for historical results are leading to a crisis of integrity.

A Crisis of Integrity?

Yes - that's just what I meant to say. The people who are in the information protection business today - as well as many in the research community - lack integrity. The loss of integrity in any field is a bad sign for its future, but in a field in which there is a high priority on achieving integrity in results, a lack of integrity in researchers is scandalous at best.

Here are some examples of recent items in information protection that I think demonstrate the collapse of integrity in this field and represent a dangerous step for the field and its future.

That should be enough examples to get you started, and I hope I have made my point clear. As a field, information protection lacks integrity today. But...

Restoring Integrity to Information Protection

I don't mean to say that everybody working in the field is a fraud or fails to do their homework. In fact, many legitimate researchers and developers do a fine job of building real capabilities and doing the background work necessary to do the job well. I think that the commercial interests and businesses just don't pay attention to the legitimate researchers and are paying the price day after day.

This is not to say that the legitimate folks are very good at marketing - generally they are not. But they are very good at understanding the implications of technology and particularly at finding the flaws in proposed technologies. This is not the same as vulnerability testing or white hatting a system after it is built - it calls for understanding of the limits of technologies - something we seem to ignore at our own peril more and more these days.

The solution to this worsening problem, in my view, was outlined in my written and verbal congressional testimony. To quote:

Consider this. The need for computer security expertise is so great today that the average wage for an experienced consultant working for a security consulting firm is now on the order of $200,000 per year. The fees charged by major consulting firms in this field start at $3,000 per day, and some of the best groups now charge more than $8000 per day. The only way to reverse this trend it to change the supply side of the equation.

I am anxious to see more and better education in information protection and I am actively working toward that goal. I would like to see many of my readers follow this line as well - in whatever way you can. Here are some things you can do:

About The Author:

Fred Cohen is still exploring the minimum raise as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs as the Managing Director of Fred Cohen and Associates in Livermore California, and educating defenders over-the-Internet on all aspects of information protection as a practitioner in residence in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at or visiting /