Problem solve Get help with specific problems with your technologies, process and projects.

Preventing unwanted dial-ins

I work for an ISP. Someone is dialing into our network using the gateway router's IP, which is not allowing people that dial directly in (that don't have equipment onsite) to go out on the Internet. This person is using user accounts that have easy passwords. What would you suggest that we put in place to stop this from happening?
It's not entirely clear from your question what your setup is -- presumably when someone dials in, they are assigned an address from your dialup pool. This pool should NOT include the address of your gateway router, which means that the person is spoofing your router's IP address. But, your message implies that this person is in fact using a registered IP address, and the duplicate address is causing routing problems that are preventing your other users from reaching the router correctly.

First, then, check your dialup pool to make sure you have not mistakenly included your router's IP in the available addresses.

Second, if the person is breaking in using others' accounts, you should take whatever steps are outlined in your policy on unauthorized use -- presumably you would at least contact the owners of those accounts, inform them of suspected unauthorized use, and advise that they change their passwords.

If the person is using a spoofed address, you can use ingress and egress filtering to block the spoofed traffic. Clearly you should not see traffic originating from your gateway router's IP coming from your dial-up connections. Configure the packet-filtering device closest to your dialup systems to only accept traffic from your "known good" block of IP addresses (i.e., your dial up pool).

Spoofed packets often do not route properly because they are using a false IP address that is not native to the network segment they originate from. Attackers will sometimes use source routing to circumvent this problem, actually specifying the route the packet should take through the network. Your routers, firewalls, etc. should be configured to drop source-routed packets.

This was last published in July 2001

Dig Deeper on Network Security Monitoring and Analysis

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.