Spoofing has been able to become a problem because TCP/IP was designed for a much more trusting world. The Internet is much like the neighborhoods and cities in which we live. There is probably an abundance of good neighbors, but most likely there are a few bad apples. Spoofing is an easy attack for someone who has less-than-honorable intentions. Historically, many hackers viewed DoS as an attack of last resort. Although most spoofing attacks don't allow an attacker to gain system access, they are effective at blocking access for legitimate users. More recently, the threat of DoS attacks has been used to extort money from organizations. In one such example from January 2006, a British site was blackmailed for $50,000, and when they didn't pay, the site was attacked.
If you're ready to put a stop to spoofing, you will want to start by taking a look at your firewall security policy. Most of you are probably like me and prefer the in-the-trenches, hands-on work. Policy does play an important role, however. The firewall policy should be the starting point for dictating what will be filtered and what type of connectivity will be allowed. This should be considered before ad hoc decisions are made that may be difficult to defend and could even eventually complicate firewall administration.
Basically, policy should drive the security initiative of the organization. Once policies have been developed that prohibit spoofing, implementation will be much easier. For discussions and some examples of firewall policy documents, see:
- Special Publication 800-41 Guidelines on Firewalls and Firewall Policy Recommendations: A NIST document describing firewall guidelines and policies.
- Configure firewall packet filtering: How to design anti-spoofing rules and put them at the top of each rule set.
- Firewall + Firewall Policy = Improved Security: An article by Etienne Greeff from Help Net Security.
Protection against spoofing requires that you perform some basic sanity checks. Sanity checks are just quick inspections of source and destination IP addresses as traffic ingresses and egresses your network at key choke points. Here is an example: Let's say you're Cornell University and you own the 188.8.131.52 network range. This means that you should never receive a packet from the Internet that has a source address from the 184.108.40.206 network. Any packets received from that network should be dropped; there's no reason even to respond with an ICMP message as it's obviously a forged address. Packets specified in RFC 1918, addresses allocated for private internets, should also be dropped.
Let's now consider traffic leaving the 220.127.116.11 network. These packets should have the source address examined to verify that they are truly from the 18.104.22.168 network. Any other source address found in a packet leaving the network is invalid and is most likely an attempt by one of the many viruses, worms, or DoS tools that are in the wild to spoof someone else's network address. Your border routers can be used to halt this traffic just by implementing a basic access control list (ACL), as demonstrated here using our sample address of 22.214.171.124:
Access-list Egress Permit 126.96.36.199 0.0.255.255 Any
Access-list Egress Deny IP Any Any Log
Some of you may be thinking, "Is this it?" Actually, it is; this simple ACL allows only properly addressed source packets to leave the network and logs all others. Implementing a simple ingress and egress ACL can make your network much more secure against network spoofing and is actually easy to implement. The best time to react to network spoofing is before it happens. I hope each of you takes a few minutes to consider these changes and help stop spoofing before it ever happens.
About the author:
Michael Gregg has more than 15 years of experience in IT. Michael is the President of Superior Solutions, Inc., a Houston-based training and consulting firm. He is an expert on networking, security and Internet technologies. He holds two associates degrees, a bachelor's degree and a master's degree. He presently maintains the following certifications: MCSE, MCT, CTT, A+, N+, CNA, CCNA, CIW Security Analyst and TICSA.
This was first published in April 2006