Wednesday, 28 May 2008

IP Spoofing

Today’s subject is IP Spoofing and before you ask no I’m not going to tell you how it’s done, you’ll just have to use google to find that out for yourself.

So here it is RPF (reverse-path forwarding) the Unicast RPF feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address.

These will reduce a number of attacks methods rely on falsifying the traffic source to create a denial-of-service (DoS) When enabled, the device checks the source address of the packet against the interface through which the packet arrived. This will help defend your network from spoof packets that are causing problems.

Note: Unicast RPF should not be used on interfaces that are internal to the network.

Verifying the source address of IP traffic against routing rules reduces the possibility that an attacker can spoof the source of an attack and packets are dropped if the device determines, by verifying routing tables, there is no feasible path through the interface for the source address.

Enabling reverse-path verification in environments with asymmetric routes can adversely affect network traffic so be careful about the environment you use this in but for some 80% of you this should not be an issue.

So here is the commands.

On a Cisco ASA

interface {interface_name}
ip verify reverse-path interface {interface_name}


On a Cisco Router the command is

ip cef distributed
interface {interface_name}
ip verify unicast reverse-path


But there are some other points to the router that you need to know.

Enables CEF or distributed CEF on the router. Distributed CEF is required for routers that use a Route Switch Processor (RSP) and Versatile Interface Processor (VIP), which includes Unicast RPF.

You might want to disable CEF or distributed CEF (dCEF) on a particular interface if that interface is configured with a feature that CEF or dCEF does not support.

In this case, you would enable CEF globally, but disable CEF on a specific interface using the

interface {interface_name}
no ip route-cache cef


which enables all but that specific interface to use express forwarding. If you have disabled CEF or dCEF operation on an interface and want to reenable it, you can do so by using the

interface {interface_name}
ip route-cache cef


command in interface configuration mode.

Also use access lists with RPF to log or drop packets using the ip verify unicast reverse-path {list number}

In this next example the logging option is turned on for the access list entry and dropped packets are counted per interface and globally. Packets with a source address of 172.16.101.100 arriving at interface S0/1 are forwarded because of the permit statement in access list 197.

Access list information about dropped or suppressed packets is logged (logging option turned on for the access list entry) to the log server.

interface s0/1
ip verify unicast reverse-path 197

access-list 197 deny ip 172.16.101.0 0.0.0.63 any log-input
access-list 197 permit ip 172.16.101.64 0.0.0.63 any log-input
access-list 197 deny ip 172.16.101.128 0.0.0.63 any log-input
access-list 197 permit ip 172.16.101.192 0.0.0.63 any log-input
access-list 197 deny ip host 0.0.0.0 any log


But the access list is all up to you as to how you configure you RPF as you'll know more about the packets your expecting on your network but I would suggest you always keep the logging option on at first till you happy with your setup.

Also keep an eye on the CPU load of the router and ASA as these option can use the CPU if you have a fast connection with lots of traffic going over it.

No comments: