Destination-Side Source Address Validation

How do I fix the problem?

How you deploy Destination-Side Source Address Validation (DSAV) depends on your network architecture. BCP 84 has a good introduction and some starting places for different architectures. See especially section 2. The important thing is a configuration that disallows packets having a source address originating from your network from entering your network.

How do I test our fix?

After signing up with an account, you can run our self-test tool against your AS to see if any spoofed packets reach your network.

How do your tests work?

Our testing infrastructure relies on DNS resolvers within the target network. By sending these DNS resolvers spoofed queries for domains under our control, we are able to infer a lack of DSAV if we observe a query from these resolvers at our authoritative server. The following diagram summarizes the testing methodology.

test diagram

A detailed description of our methodology and results was published in the proceedings of IMC 2020 and is available here.