IP spoofing is one of the most common network attacks. Many security designs and solutions lack this fundamental proactive prevention technique. Usually, I see people implementing reactive prevention. My recommendation is to apply proactive security measures to protect the network from any unforseen IP spoofing attacks.
How does it work
IP spoofing attack is when an intruder attempts to disguise itself by pretending to have the source IP address of a trusted host to gain access to specified resources on a trusted network. IP spoofing is basically forging or falsifying (spoofing) the source IP addresses in IP packets. An intruder crafts an IP datagram with a source IP address that does not belong to them.
Applications of IP spoofing
Many other attacks rely on IP spoofing mechanism to launch an attack, for example SMURF attack (also known as ICMP flooding) is when an intruder sends a large number of ICMP echo requests (pings) to the broadcast address of the reflector subnet. The source addresses of these packets are spoofed to be the address of the target victim. For each packet sent by the attacker, hosts on the reflector subnet respond to the target victim, thereby flooding the victim network and causing congestion that results in a denial of service (DoS).
Therefore, it is essential best practice to implement antispoofing mechanisms to prevent IP spoofing wherever feasible.
Anti spoofing control measures should be implemented at every point in the network where practical, but they are usually most effective at the borders among large address blocks or among domains of network administration.
RFC Standard
RFC 2827-Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing and in Best Current Practices (BCP 38). The RFC dictates that no IP packets should be sent out to the Internet with a source address other than the addresses that have been allocated to your network.
Mitigation techniques
There are 3 fundamental techniques to implement anti-spoofing mechanism to prevent IP spoofing
1) Anti-spoofing with Access Lists
As networks vary and configuration depends on the network boundaries and address space allocations, there is no template or straigthforward sample configuration that can provide a list of commands to configure anti-spoofing access lists. However, the basic objective is to drop packets that arrive on interfaces that are not viable paths from the supposed source addresses of those packets. In summary, configure the ACL to;
• Deny incoming packets if source address is allocated to your network
• Deny outbound packets if source address is not allocated to your network
In general, anti-spoofing ACLs are best deployed as input access lists; that is, packets must be filtered at the ingress interfaces, not at the interfaces through which they exit the router. The input access list also protects the router itself from spoofing attacks, whereas an output list protects only devices behind the router.
For more details, refer to Cisco IOS Security Configuration Guide, Release 12.4;
Access Control Lists: Overview and Guidelines
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_acl_ov_guideline_ps6350_TSD_Products_Configuration_Guide_Chapter.html
2) Anti-spoofing with uRPF
The uRPF feature is a security tool that helps mitigate source IP address spoofing by discarding IP packets that lack a verifiable IP source address in the IP routing table.
Unicast Reverse Path Forwarding (uRPF) is also a common technique used to mitigate source address spoofing. When uRPF is used, the source address of IP packets is checked to ensure that the route back to the source uses the same interface that the packet arrived on. If the input interface is not a feasible path to the source network, the packet will be dropped.
There are two types of uRPF implementation:
• Strict Mode complying with RFC 2827 filters on Network Ingress Edge and Best Current Practices (BCP 38)
• Loose Mode for ISP to ISP Edge, for RTBH filtering
For more details, refer to Cisco IOS Security Configuration Guide, Release 12.4;
Configuring Unicast Reverse Path Forwarding
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_unicast_rpf_ps6350_TSD_Products_Configuration_Guide_Chapter.html
3) Anti-spoofing with IP Source GuardIP Source Guard is a Layer 2 security feature that prevents IP spoofing attacks by restricting IP traffic on untrusted Layer 2 ports to clients with an assigned IP address.
This feature works by filtering IP traffic with a source IP address other than that assigned via Dynamic Host Configuration Protocol (DHCP) or static configuration on the untrusted Layer 2 ports.
IP Source guard feature works in combination with the DHCP snooping feature available on Catalyst switches and is enabled on untrusted Layer 2 ports. For more details, refer to Catalyst 3560 Switch Software Configuration Guide, Rel. 12.2(44)SE;
Understanding & Configuring IP Source Guard
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swdhcp82.html#wp1294398
Hope that above provides a basic understanding of IP spoofing attacks and the various mitigation techniques available to implement anti-spoofing mechanism.
http://www.slideshare.net/apijay/ip-spoofing-attacks
0 comments:
Post a Comment