Is BCP38 enough to stop DDOS attacks?
There are types of DDOS attacks which don't use source spoofing and where thus BCP38 does not help. For example the current IoT based DDOS attacks against Dyn, OVH, etc did not use source spoofing at all. Also, DDOS by employing the Slashdot Effect does not make use of spoofed addresses either.
Spoofed addresses are instead mainly used in amplification attacks which is only one of the techniques for DDOS.
There are multiple types (or methods to achieve) of DDoS attack likes -
- ICMP flood
- P-to-P attack
- SYN Flood
- DNS Amplifications attack
- And many more
Some types of attack are possible through spoofing of source ip addresses (like DNS amplification, Syn flood, ICMP flood and others). Attacks which can be achieved through UDP protocol can be done through spoofing while for those where TCP 3-way handshake needs to be completed, can't be achieved through spoofing.
My question is: Is it enough to prevent massive DDOS attacks?
BCP 38 can only stop spoofing attacks. It can't protect the victim against TCP based attacks. DDoS attack on Dyn (on 21st October) was done through IoT devices, which was not a spoofed type attack.
In a nutshell, if BCP38 get implemented in all the ISP across whole world, then DDoS attack will not going to be easy to launch against the victims.
P.S. -- BCP38 is implemented in my organisation (i works for one of the largest ISP of my country).