Tip

Prevent network spoofing: Policies and ACLs

If you're not worried about network spoofing, you should be. It can be used by attackers to target networks in a variety of ways. Network spoofing occurs when the attacker forges the source or destination IP address in the IP header. Classic examples of spoofing include the Smurf attack and the SYN flood. Smurf attacks function by sending spoofed ping packets that appear to originate from the victim's source address to the network's broadcast address. The SYN flood attack sends a large number of spoofed source addressed packets with the SYN flag set. Both attacks are designed to cause a

    Requires Free Membership to View

denial of service (DoS).

Spoofing has been able to become a problem because TCP/IP was designed for a much more trusting world. The Internet is much like the neighborhoods and cities in which we live. There is probably an abundance of good neighbors, but most likely there are a few bad apples. Spoofing is an easy attack for someone who has less-than-honorable intentions. Historically, many hackers viewed DoS as an attack of last resort. Although most spoofing attacks don't allow an attacker to gain system access, they are effective at blocking access for legitimate users. More recently, the threat of DoS attacks has been used to extort money from organizations. In one such example from January 2006, a British site was blackmailed for $50,000, and when they didn't pay, the site was attacked.

If you're ready to put a stop to spoofing, you will want to start by taking a look at your firewall security policy. Most of you are probably like me and prefer the in-the-trenches, hands-on work. Policy does play an important role, however. The firewall policy should be the starting point for dictating what will be filtered and what type of connectivity will be allowed. This should be considered before ad hoc decisions are made that may be difficult to defend and could even eventually complicate firewall administration.

Basically, policy should drive the security initiative of the organization. Once policies have been developed that prohibit spoofing, implementation will be much easier. For discussions and some examples of firewall policy documents, see:

Protection against spoofing requires that you perform some basic sanity checks. Sanity checks are just quick inspections of source and destination IP addresses as traffic ingresses and egresses your network at key choke points. Here is an example: Let's say you're Cornell University and you own the 128.253.0.0 network range. This means that you should never receive a packet from the Internet that has a source address from the 128.253.0.0 network. Any packets received from that network should be dropped; there's no reason even to respond with an ICMP message as it's obviously a forged address. Packets specified in RFC 1918, addresses allocated for private internets, should also be dropped.

Let's now consider traffic leaving the 128.253.0.0 network. These packets should have the source address examined to verify that they are truly from the 128.253.0.0 network. Any other source address found in a packet leaving the network is invalid and is most likely an attempt by one of the many viruses, worms, or DoS tools that are in the wild to spoof someone else's network address. Your border routers can be used to halt this traffic just by implementing a basic access control list (ACL), as demonstrated here using our sample address of 128.253.0.0:

Access-list Egress Permit 128.253.0.0 0.0.255.255 Any
Access-list Egress Deny IP Any Any Log

Some of you may be thinking, "Is this it?" Actually, it is; this simple ACL allows only properly addressed source packets to leave the network and logs all others. Implementing a simple ingress and egress ACL can make your network much more secure against network spoofing and is actually easy to implement. The best time to react to network spoofing is before it happens. I hope each of you takes a few minutes to consider these changes and help stop spoofing before it ever happens.

About the author:
Michael Gregg has more than 15 years of experience in IT. Michael is the President of Superior Solutions, Inc., a Houston-based training and consulting firm. He is an expert on networking, security and Internet technologies. He holds two associates degrees, a bachelor's degree and a master's degree. He presently maintains the following certifications: MCSE, MCT, CTT, A+, N+, CNA, CCNA, CIW Security Analyst and TICSA.

This was first published in April 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.