Information for small businesses

From BCP38
Jump to: navigation, search

This page explains BCP38 to small businesses, people who have a single internet connection, a consumer or small business router/firewall (Cisco/Linksys, Belkin, SnapGear/WatchGuard, ZyXel, SMC, or those bright red things with the most confusing UI in the universe whose name I have happily forgotten), and a LAN full of PCs and other Internet capable devices. If you have a larger network, or multiple uplnk connections, see the Main Page for links to pages which discuss BCP38 in those contexts.


What is BCP38?

BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers -- like yours -- cannot send traffic through it with forged return addresses.

This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down.

Just as importantly: if a computer in your office gets infected by malware, then your provider can inform you that you're sending forged attack traffic if they implement BCP38, so that you can get it fixed. If they don't, you might never know.

What Does It Mean To Me?

For small businesses, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by 'malware', and possibly made part of a 'botnet' -- which could have legal liability implications to you; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, it's possible you or your company could be held civilly or criminally liable for such attacking.

If you or your ISP implement BCP38, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC, which may protect you from some such liability.

How Do I Tell If I Have It Already?

There are several research projects which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results.

How Does Having It Affect Me?

BCP38 filtering will generally have the same effect on small businesses that it has on end-user and home office computers: none. You shouldn't ever even notice if your ISP has enabled BCP38; it has no effect whatever on normal, valid internet traffic.

There are no known business applications that depend on source-address forging to work, and if you know of one, you should publicize that fact, because it's horrifically poor design.

How Does Not Having It Affect Me?

If your ISP does not presently implement BCP38, then they are contributing to bad weather on the Internet; some of the attacks and types of attacks which BCP38 prevents can cause insanely large traffic flows all to converge at one spot on the Internet; an attack in March 2013 caused 300 gigabits per second of attack traffic to one site. That's two thousand times the fastest Verizon FiOS connection you can get; the attack likely came from over 100,000 individual infected PCs, or more.

Think of BCP38 as being like the law that forbids you to get out of your running car in a parking lot and leave it there while you go in a store: if someone walks up and drives off in it, and hits a bunch of people, *you* are responsible. While at the moment, the responsibility for the attacks BCP38 can prevent is moral, rather than legal, we never know what might change in the future.

BCP38: Ask For It By Name.  :-)

(In practice, if you call your cable or DSL ISP today and ask if they implement BCP38, your odds of getting someone who knows what that means are about 1:1000. That's what we're trying to change. If a million people this year do it... it will.)

In the case of small businesses, there is an advantage to making sure the router/firewall you have installed *itself* implements BCP38-style source-address filtering. While this is egress filtering, rather than the ingress filtering which the BCP mandates, it can still be useful in making sure your business isn't contributing to Internet attacks, in case a PC inside your business gets infected with malware. As long as your router DOES NOT implement "Universal Plug and Play" -- this is a protocol which allows PCs inside a network to reconfigure the router in a semi-automated manner -- and has a non-factory-default password set, the odds are that any egress filtering you set on it to drop such 'martian' packets will stick, and be helpful.

How Do I Set It Up?

In general, you don't have to. If you're a small business, implementing BCP38 is the responsibility of your ISP, be they dialup, cablemodem, DSL, or 'fiber'. The faster your connection, the more important it is.

As noted above, while any filtering your in-house router/firewall will apply will be egress filtering, that doesn't make it useless, by any means.

Instructions on how to set up such egress filtering will be accumulated in How To's.

What Does It Cost Me?

In general, the time to set up egress filtering on your router, if you need to do anything at all to do so, will range between a couple of minutes, and less than an hour. There is no real maintenance, so the recurring cost is effectively zero as well.

Personal tools