An introduction to BCP38

January 13, 2016, by | Start Discussion

What is BCP 38?

BCP 38 also known as Network Ingress Filtering is defined by RFC 2487 as a technique which ensures that incoming packets are from the source which they claim to be from. The main aim of BCP 38 id to defeat the Denial of Service (DOS) attack that uses IP Address Spoofing.

The Problem Statement

BCP 38 addresses the problem of Denial of Service attack which is done by IP Address Spoofing. Let us understand some key terms:

  • DOS Attack
    It is a type of network attack in which  the target machine is flooded with useless bulk traffic (requests) with the motive to bring down the network, such that the user is unable to utilize its resources and finally, stops functioning.DOS Attack
  • IP Address Spoofing
    It is a technique which involves replacing IP address of sender by modifying the IP packet header (source and destination address) of sender with another machine’s IP address. Thus, this technique allows you to send IP packets anonymously which means the IP address is impersonated when the packets are sent.
    IP address spoofing allows sending packets in a network without the packets being intercepted by the firewall. A spoofed packet arriving with an internal machine’s IP address will be allowed by the firewall and be transferred to the target machine, whereas a packet containing an external IP address will be rejected by the firewall.



The ideal solution which defeats the above two problems is implementing BCP 38 i.e. network ingress filtering.
Ingress Filtering is a technique which scans the incoming packets to validate whether they are coming from the right source or not. If the packet does not match its source, the network holds or drops the packet. BCP 38 packet filtering policy has 4 major approaches and they are:

  1. Static packet filters
  2. Dynamic packet filters
  3. Forwarding based validation
  4. Network address translation

Thus, BCP 38 revolves on the main concept that no one can pretend to be from someone else’s IP address.



bcp38 flow diagram
Image Source:

BCP 38 Implementation

BCP 38 or Ingress filtering is implemented by ISP’s (Internet Service Providers) to protect their customers and individuals home and offices. A database is maintained and used to check the incoming packet’s origin. If it matches, the packet is allowed. If it does not match the network keeps the packet on hold (outside of the network) so that other users are protected. ISP’s work together and provide ingress filtering, they maintain a common database and keep it up-to-date with reliable and accurate information. Thus, customers are provided greater safety and security.
Also, as mentioned earlier BCP 38 can be implemented for individual home or office as well. This network may capture packets that even the ISP has skipped from identifying it as a potential problem (depending on type of filtering used). Thus, it acts as an added security layer for protection of individual machines.

Best Practices

  • ISP’s and hosting companies should reduce the number of open recursive DNS resolvers on Internet, to prevent packets from spoofed IP’s from entering the network.
  • BCP 38 is the current best practice for ingress filtering.


Security Analyst and a Technical Writer

Leave a Reply