As you know, the Internet is rife with security threats, and
one such threat is IP address spoofing. During a typical IP address spoofing attempt,
the attacker simply fakes the source of packets in order to appear as part of an
internal network. Let’s discuss three ways you can protect your organization from
this type of attack.
Block IP addresses
The first step in preventing spoofing is blocking IP
addresses that pose a risk. While there can be a reason that an attacker might
spoof any IP address, the most commonly spoofed IP addresses are private IP
addresses (RFC 1918) and
other types of shared/special IP addresses.
Here’s a list of IP addresses—and their subnet masks—that I
would block from coming into my network from the Internet:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 127.0.0.0/8
- 224.0.0.0/3
- 169.254.0.0/16
All of the above are either private IP addresses that aren’t
routable on the Internet or used for other purposes and shouldn’t be on the
Internet at all. If traffic comes in with one of these IP addresses from the
Internet, it must be fraudulent traffic.
In addition, other commonly spoofed IP addresses are whatever
internal IP addresses your organization uses. If you’re using all private IP
addresses, your range should already fall into those listed above. However, if
you’re using your own range of public IP addresses, you need to add them to the
list.
Implement ACLs
The easiest way to prevent spoofing is using an ingress
filter on all Internet traffic. The filter drops any traffic with a source
falling into the range of one of the IP networks listed above. In other words,
create an access control list (ACL) to drop all inbound traffic with a source
IP in the ranges above.
Here’s a configuration example:
Router# conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ip access-list ext ingress-antispoof Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any Router(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 224.0.0.0 31.255.255.255 any Router(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any Router(config-ext-nacl)# permit ip any any Router(config-ext-nacl)# exit Router(config)#int s0/0 Router(config-if)#ip access-group ingress-antispoof in
Internet service providers (ISPs) must use filtering like
this on their networks, as defined in RFC 2267. Notice how
this ACL includes permit ip any any
at the end. In the “real world,” you would probably have a stateful
firewall inside this router that protects your internal LAN.
Of course, you could take this to the extreme and filter all
inbound traffic from other subnets in your internal network to make sure that
someone isn’t on one subnet and spoofing traffic to another network. You could also
implement egress ACLs to prevent users on your network from spoofing IP
addresses from other networks. Keep in mind that this should be just one part
of your overall network security strategy.
Use reverse path forwarding (ip verify)
Another way to protect your network from IP address spoofing
is reverse path forwarding (RPF)—or ip
verify. In the Cisco IOS, the commands for reverse path forwarding begin
with ip verify.
RPF works much like part of an anti-spam solution. That part
receives inbound e-mail messages, takes the source e-mail address, and performs
a recipient lookup on the sending server to determine if the sender really
exists on the server the message came from. If the sender doesn’t exist, the
server drops the e-mail message because there’s no way to reply to the message—and
it’s very likely spam.
RPF does something similar with packets. It takes the source
IP address of a packet received from the Internet and looks up to see if the
router has a route in its routing table to reply to that packet. If there’s no
route in the routing table for a response to return to the source IP, then someone
likely spoofed the packet, and the router drops the packet.
Here’s how to configure RPF on your router:
Router(config)# ip cef Router(config)# int serial0/0 Router(config-if)# ip verify unicast reverse-path
Note that this won’t work on a multi-homed network.
It’s important to protect your private network from
attackers on the Internet. These three methods can go a long way toward
protecting against IP address spoofing. For more information on IP address
spoofing, read “IP
Address Spoofing: An Introduction.”
Is IP address spoofing a major concern for your
organization? What steps have you taken to protect the company? Have you used
RPF? Share your experiences in this article’s discussion.
Miss a column?
Check out the Cisco Routers and Switches
Archive, and catch up on David Davis’ most recent columns.
Want to learn more
about router and switch management? Automatically
sign up for our free Cisco Routers and Switches newsletter, delivered each
Friday!
David Davis has worked
in the IT industry for 12 years and holds several certifications, including
CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of
systems/network administrators for a privately owned retail company and
performs networking/systems consulting on a part-time basis.