Information for end-users
This page explains BCP38 to end-users, people who have an internet connection, and either a single PC, or perhaps a router and a couple of PCs, a tablet, a smart TV set, and an XBox, or the like. Homes, and very small offices. If you have a larger network, see the Main Page for links to pages which discuss BCP38 in those contexts.
Contents |
What is BCP38?
BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers -- like yours -- cannot send traffic through it with forged return addresses.
This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down.
Just as importantly: if your computer gets infected by malware, then your provider can inform you that it's sending forged attack traffic if they implement BCP38, so that you can get it fixed. If they don't, you might never know.
What Does It Mean To Me?
For end-users, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by 'malware', and possibly made part of a 'botnet'; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC.
How Do I Tell If I Have It Already?
There are several research projects which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results.
How Does Having It Affect Me?
For small end-users, people with just one PC, or a few PCs, maybe a smart TV and a game console, and a consumer router or wireless router? You shouldn't ever even notice if your ISP has enabled BCP38; it has no effect whatever on normal, valid internet traffic.
If you're a small to medium business, see those pages.
How Does Not Having It Affect Me?
If your ISP does not presently implement BCP38, then they are contributing to bad weather on the Internet; some of the attacks and types of attacks which BCP38 prevents can cause insanely large traffic flows all to converge at one spot on the Internet; an attack in March 2013 caused 300 gigabits per second of attack traffic to one site. That's two thousand times the fastest Verizon FiOS connection you can get; the attack likely came from over 100,000 individual infected PCs, or more.
Think of BCP38 as being like the law that forbids you to get out of your running car in a parking lot and leave it there while you go in a store: if someone walks up and drives off in it, and hits a bunch of people, *you* are responsible. While at the moment, the responsibility for the attacks BCP38 can prevent is moral, rather than legal, we never know what might change in the future.
BCP38: Ask For It By Name. :-)
(In practice, if you call your cable or DSL ISP today and ask if they implement BCP38, your odds of getting someone who knows what that means are about 1:1000. That's what we're trying to change. If a million people this year do it... it will.)
How Do I Set It Up?
In general, you don't have to. If you're an end-user, implementing BCP38 is the responsibility of your ISP, be they dialup, cablemodem, DSL, or 'fiber'. The faster your connection, the more important it is.
If you don't already have a router or wireless router at your home or very small business, you probably should, and most 'CPE' routers will provide you with some in-house blocking for many (though possibly not all) types of forged attack packets.
If you have a router, or are going to get one, and it uses multiple uplink connections to different ISPs, then you need to see the small business page as well.
What Does It Cost Me?
Generally, it shouldn't cost you anything--your ISP does the work--unless you don't have a router, and you want to get one. Decent high-speed consumer routers are well under $100 these days, and often under $50, even for wireless models.
Well, ok, it might cost you the time to call your ISP on the phone and ask them if they implement BCP38. And to listen to the front-line guys say "implement what-now?" :-)