How to use ACLs in routers to prevent IP address spoofing

One method that attackers often use to obtain network information is to impersonate a trusted member of a network. The attacker cheats the source IP address in the packet and sends it to the internal network. An attacker would only need to change the source IP address in the packet to an address that belonged to an internal subnet.

1. Inbound

Rules

Never allow packets of any source address that are internal host addresses or network addresses to enter a private network.

RB (config) #access-list deny IP 127.0.0.0 0.255.255.255 any log

RB (config) #access-list deny IP 0.0.0.0 255.255.255.255 any log

RB (config) #access-list deny IP 10.0.0.0 0.255.255.255 any log

RB (config) #access-list deny IP 172.16.0.0 0.15.255.255 any log

RB (config) #access-list deny IP 192.168.0.0 0.0.255.255 any log

RB (config) #access-list deny IP 224.0.0.0 15.255.255.255 any log

RB (config) #access-list deny IP host 255.255.255.255 any log

RB (config) #access-list permit IP any

RB (config) #interface serial 2/0

RB (config-if) #ip Access-group in

The function of the back log is that it will be displayed on the console when the packet applies the policy denied.

This access control list rejects any packets from the following source address:

n any local host address (127.0.0.0/8);

N any reserved private address;

n Any multicast IP address (224.0.0.0/4).

2. Outbound

Rules

You should never allow IP packets outbound that contain a valid address for a non-internal network.

RB (config) #access-list permit IP 192.168.0.0 0.0.255.255 any

RB (config) #access-list deny IP any log

RB (config) #interface serial 2/0

RB (conofig-if) #ip Access-group

More Wonderful content: http://www.bianceng.cnhttp://www.bianceng.cn/Network/lyjs/