enobosarm

IP Address Spoofing Mitigation with Access Control Lists (ACL)

IP spoofing is the act of camouflaging your IP address to make it look like you are someone else. Although IP spoofing is not an attack by itself, it is the starting point of many of the most common attacks found on today’s networks.

 

Most, but not all, of the spoofing attacks that take place start with someone on the outside of your network spoofing their IP address to make it look like they are part of the inside of your network. Since all private networks worldwide follow the standards of RFC 1918, knowing what IP addresses a company is using inside their network is not complex.

 

RFC 1918 defines that the following IP addresses are usable inside private networks.

10.0.0.0 – 10.255.255.255

172.16.0.0 – 172.31.255.255

192.168.0.0 – 192.168.255.255

 

Based on the above, the most obvious first step is to deny traffic that has a source IP address inside the RFC 1918 block that is coming into your network from the outside interface. The outside interface should have outside (public) IP addresses as their source. There would be no valid reason for an IP address on the outside of your network falling within that range.

 

Further to the RFC 1918 block of addresses, we also need to block any source coming from the following:

local loopback (127.0.0.1)

network address (0.0.0.0)

broadcast address (255.255.255.255)

Private multicast range (224.0.0.0 /4 )

 

 

Here is the configuration breakdown for the above scenario

 

AOIP.ORG(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any log

AOIP.ORG(config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any log

AOIP.ORG(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any log

The above are the RFC 1918 Unicast IP addresses

 

AOIP.ORG(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any log

Local loopback restriction

 

AOIP.ORG(config)# access-list 100 deny ip 0.0.0.0 0.255.255.255 any log

Network address restriction

 

AOIP.ORG(config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any log

Private multicast range restriction

 

AOIP.ORG(config)# access-list 100 deny ip host 255.255.255.255 any log

Broadcast source address restriction

 

AOIP.ORG(config)# access-list 100 permit ip any 192.168.1.0 0.0.0.255

There is an implicit deny any at the bottom of every access list, so without a permit statement, NO traffic would be allowed. In the above entry I have allowed any traffic to go to the destination address 192.168.1.0 /24 (My internal network)

 

AOIP.ORG(config)# interface fa0/0

For example purposes FastEthernet 0/0 is my outside interface

 

AOIP.ORG(config-if)# ip access-group 100 in

I have applied this ACL inbound, which will also protect the router from been attacked.

 

AOIP.ORG(config-if)# exit

AOIP.ORG(config)#

 

 

Not only do we want to prevent people from the outside of our network ‘pretending’ they are inside our network, we also want to prevent our inside people from spoofing to a different IP address as well. The above configuration had a focus on traffic INBOUND to our network, the below configuration is focused on preventing OUTBOUND traffic from spoofing.

 

AOIP.ORG(config)# access-list 105 permit ip 192.168.1.0 0.0.0.255 any

The only range that is allowed to transmit is my internal network, in this case 192.168.1.0 /24

 

AOIP.ORG(config)# access-list 105 deny ip any any log

Although there is an implicit ‘deny any’ at the end of all ACL’s, I have included this with the log statement so I can see how many attempts have been made by internal machines to spoof their address before leaving the network

 

AOIP.ORG(config)# interface fa0/1

For example purposes, interface FastEthernet 0/1 is my inside interface

 

AOIP.ORG(config-if)# ip access-group 105 in

I have applied this ACL inbound, which will also protect the router from been attacked.

 

AOIP.ORG(config-if)# exit

AOIP.ORG(config)#

 

 

Related posts:

  1. Mitigating Smurf DoS Attacks
  2. DoS TCP SYN Attack Mitigation
  3. Mitigating SubSeven attacks
  4. Restricting access to VTY (Virtual Terminal Lines)
  5. Configuring PAT on Cisco Routers (NAT Overload)


6 Responses to “IP Address Spoofing Mitigation with Access Control Lists (ACL)”

  1. Configure Nat Using Port Address Translation on a Cisco Router | Intro to Business BroadBand Says:

    [...] IP Address Spoofing Mitigation with Access Control Lists (ACL … [...]

  2. Polprav Says:

    Hello from Russia!
    Can I quote a post in your blog with the link to you?

  3. Gregory Despain Says:

    I bookmarked this link. Thank you for good job!

  4. Rob Covello Says:

    I understand the need to create IP Spoofing, I do have one issue come up.

    I have a webserver on my local LAN.

    Webserver is setup in public DNS relm.

    I recently replaced the linksys with Cisco 1811 router.
    I have added all needed ACL and NAT rules for Website access and externally it works great

    Since I added 1811 router my LAN users are unable to access the site by Name.
    So I assume Cisco see LAN Source as 192.168.x.x and the Cisco thinks its a spoofed address and drops traffic.

    What rules can I added to allow my LAN users acecss to the webserver with its DNS name ?

  5. Jay Says:

    Hi Rob,

    If your users can still access the server with IP address then spoofing is not the problem but rather a DNS problem. Your router doesn’t care if you access with DNS, it only knows about IP addresses and only cares about what the source IP / destination IP / Protocol and Port are required for the connection. If your DNS is resolving to the wrong IP address, this could be the problem, but it all depends if you can still access it via it’s IP address directly?

    Hope this helps,
    Jay

    P.S – Sorry for the delay, I fell off the planet for a while, but I’m back now :)

  6. Tsepo Says:

    Thanks for the clarification, this is perfect

Leave a Reply