All router administrators need to take whatever security precautions they can to prevent attacks to their systems and networks. While these attacks are a continually moving target, a common attack to IP networks is called IP Spoofing. This is accomplished by sending IP packets into the network with source addresses that appear to be part on the private internal network, when they really aren’t. It is like stealing someone’s identity – appearing to be someone the attacker really is not. If successful, the spoofed IP packets can be accepted by servers and computers on the local network with the risk of introducing malicious content or code.
There are several ways to prevent IP Spoofing: Blocking traffic with improper IP addresses as they enter the network:
Blocking Private IP Addresses at Entry
Any IP address can be spoofed, bet it public or private (see RFC 1918). The most commonly spoofed IP addresses are private IP addresses and other types of shared/special IP addresses. Here is a quick and obvious list:
All of the addresses listed above are either private IP addresses that usually aren’t routable on the Internet, or used for other purposes and shouldn’t be on the Internet at all. If traffic comes in with one of these IP addresses from the Public Internet, it must be fraudulent traffic.
Implementing Filters to Inbound Traffic
The easiest way to prevent spoofing is using an ingress filter on all inbound Internet traffic dropping any traffic with a source falling into the range of one of the IP networks listed above. All Internet Service Providers (ISPs) must use filtering as shown above per RFC 2267. This is done by installing an access control list (ACL) to drop all inbound traffic with a source IP in the ranges above.
Below is the configuration example. First let’s create the ACL called ‘spoofcheck’:
Cell_ce01# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Cell_ce01(config)# ip access-list ext spoofcheck
Cell_ce01(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any
Cell_ce01(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any
Cell_ce01(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any
Cell_ce01(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any
Cell_ce01(config-ext-nacl)# deny ip 126.96.36.199 188.8.131.52 any
Cell_ce01(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any
Cell_ce01(config-ext-nacl)# permit ip any any
Next, lets apply the ACL ‘spoofcheck’ to the interface facing the Internet:
Cell_ce01(config-if)#ip access-group spoofcheck in
Note: this example ACL includes permit ip any any at the end. In the “real world,” you would probably have a stateful firewall inside this router that protects your internal LAN.
Of course, you could take this to the extreme and filter all inbound traffic from other subnets in your internal network to make sure that someone isn’t on one subnet and spoofing traffic to another network. You could also implement egress ACLs to prevent users on your network from spoofing IP addresses from other networks. Keep in mind that this should be just one part of your overall network security strategy.
Use reverse path forwarding (ip verify)
Another way to protect your network from IP address spoofing is reverse path forwarding (RPF)-or ip verify. In the Cisco IOS, the commands for reverse path forwarding begin with ‘ip verify’. RFP takes the source IP address of a packet received from the Internet and looks up to see if the router has a route in its routing table to reply to that packet. If there’s no route in the routing table for a response to return to the source IP, then someone likely spoofed the packet, and the router drops the packet.
Here is an example of how to configure RPF on your router:
Cell_ce01(config)# ip cef ‘must be turned on
Cell_ce01(config)# int serial1/1
Cell_ce01(config-if)# ip verify unicast reverse-path
Note that this won’t work on a multi-homed network.
We hope this helps to set an initial prevention policy for IP Spoofing in your network.