Use Cisco IOS to prevent IP Address Spoofing Attacks

This article mainly introduces the IP spoofing technology and explains how to use Cisco IOS to prevent IP spoofing, including blocking IP addresses and reverse path forwarding, I believe that reading this article will help you.

The Internet is full of various security threats, one of which is IP address spoofing. The IP spoofing technology is used to forge the IP address of a host. The disguise of IP addresses allows a host to disguise another host, which is often privileged or trusted by another host. Internet Operating System (IOS) is the core software package of Cisco. It is mainly implemented on Cisco routers and switches, and can be used to configure Cisco router hardware, it routes or bridges information from one network to another. To put it bluntly, I0S is the power source of Cisco router products. So how can we use Cisco IOS to prevent IP spoofing?

Blocked IP Address

The first step to prevent IP spoofing is to block IP addresses that may cause risks. Although attackers can fool any IP address, the most common spoofed IP address is a private IP address. For details, see RFC1918) and other types of shared/Special IP addresses.
For example, the author blocks the following IP addresses from following their subnet masks) accessing the local machine from the Internet:
· 10. 0.0.0255.0.0.0)
· 172. 16.0.0385240.0.0)
· 192. 168.0.0255.255.0.0)
· 127. 0.0.0255.0.0.0)
· 224. 0.0.0224.0.0.0)
· 169. 254.0.0255.255.0.0)
The above lists private IP addresses that cannot be routed on the Internet, or IP addresses used for other purposes, so they should not appear on the Internet. If a communication from the Internet uses a specific IP address as the source address, it must be a fraudulent communication.

In addition, other commonly spoofed IP addresses are any internal IP addresses used by your organization. If you are using all the private IP addresses, your range should belong to the IP addresses listed above. However, if you are using your own public IP address range, you should add it to the above list.
Implement access control list (ACL)

The simplest way to prevent spoofing is to use a filter for all Internet communications. Entering the filter will discard any data packets whose source address is the preceding listed address. In other words, it is to create an ACLaccess control list) to discard all data packets that enter the source address of the network as the IP address in the above list.
The following is an example of Configuration:

 

 

	
	
  
 Router# conf t   

	
  
 Enter configuration commands, one per line.  End with CNTL/Z.   

	
  
 Router(config)# ip access-list ext ingress-antispoof   

	
  
 Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any   

	
  
 Router(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any   

	
  
 Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any   

	
  
 Router(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any   

	
  
 Router(config-ext-nacl)# deny ip 224.0.0.0 31.255.255.255 any   

	
  
 Router(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any   

	
  
 Router(config-ext-nacl)# permit ip any any   

	
  
 Router(config-ext-nacl)# exit   

	
  
 Router(config)#int s0/0   

	
  
 Router(config-if)#ip access-group ingress-antispoof in   


 

Internet service providers (ISPs) must use such filtering in their networks, which is defined in RFC 2267. Note that this ACL operation contains "permit ip any ". In the real world, you may have a formal firewall in the router to protect the internal LAN. Of course, you can use this method to filter all data packets from other subnets in the network that enter the subnet where the local machine is located, to ensure that no one in a subnet will transmit fraudulent data to other networks. You can also implement an "outbound ACL" to prevent IP Address Spoofing from other networks in the internal network. However, remember that this is only part of your global network security policy.

Use reverse route forwarding (IP verification)
Another way to protect the network from IP Address Spoofing is reverse path Forwarding (RPF), that is, IP address verification. In Cisco IOS, the command for reverse path forwarding RPF starts with "ip verify.

RPF works like some features of an anti-spam solution. This function partially receives incoming email messages and finds the source address of the source email, then, perform a check on the sending server to check whether the sender actually exists on the sending server. If the sender does not exist, the server discards the email message because it is very likely a spam.

RPF performs similar operations on data packets. It extracts the source address of a packet from the Internet and checks whether a route exists in the router's route table to respond to the packet. If there is no route in the routing table to respond to the data packet returned to the source IP address, someone sends a fraudulent data packet and the router discards the data packet.
The following shows how to configure Reverse Address forwarding in a vro:

 

 

	
	
  
 Router(config)# ip cef   

	
  
 Router(config)# int serial0/0   

	
  
 Router(config-if)# ip verify unicast reverse-path    


 

It is extremely important to protect private networks from attacks. The three methods we will introduce here will play an important role in protecting your network from IP address spoofing.