Manage Learn to apply best practices and optimize your operations.

Prevent network spoofing: Policies and ACLs

Network spoofing occurs when the attacker forges the source or destination address in the IP header, ultimately causing a Denial of Service. In this tip, security expert Michael Gregg explains how implementing a good firewall security policy and a simple access control list can reduce your vulnerability to spoofing attacks.

If you're not worried about network spoofing, you should be. It can be used by attackers to target networks in a variety of ways. Network spoofing occurs when the attacker forges the source or destination IP address in the IP header. Classic examples of spoofing include the Smurf attack and the SYN flood. Smurf attacks function by sending spoofed ping packets that appear to originate from the victim's source address to the network's broadcast address. The SYN flood attack sends a large number of spoofed source addressed packets with the SYN flag set. Both attacks are designed to cause a denial of service (DoS).

Spoofing has been able to become a problem because TCP/IP was designed for a much more trusting world. The Internet...

is much like the neighborhoods and cities in which we live. There is probably an abundance of good neighbors, but most likely there are a few bad apples. Spoofing is an easy attack for someone who has less-than-honorable intentions. Historically, many hackers viewed DoS as an attack of last resort. Although most spoofing attacks don't allow an attacker to gain system access, they are effective at blocking access for legitimate users. More recently, the threat of DoS attacks has been used to extort money from organizations. In one such example from January 2006, a British site was blackmailed for $50,000, and when they didn't pay, the site was attacked.

If you're ready to put a stop to spoofing, you will want to start by taking a look at your firewall security policy. Most of you are probably like me and prefer the in-the-trenches, hands-on work. Policy does play an important role, however. The firewall policy should be the starting point for dictating what will be filtered and what type of connectivity will be allowed. This should be considered before ad hoc decisions are made that may be difficult to defend and could even eventually complicate firewall administration.

Basically, policy should drive the security initiative of the organization. Once policies have been developed that prohibit spoofing, implementation will be much easier. For discussions and some examples of firewall policy documents, see:

Protection against spoofing requires that you perform some basic sanity checks. Sanity checks are just quick inspections of source and destination IP addresses as traffic ingresses and egresses your network at key choke points. Here is an example: Let's say you're Cornell University and you own the network range. This means that you should never receive a packet from the Internet that has a source address from the network. Any packets received from that network should be dropped; there's no reason even to respond with an ICMP message as it's obviously a forged address. Packets specified in RFC 1918, addresses allocated for private internets, should also be dropped.

Let's now consider traffic leaving the network. These packets should have the source address examined to verify that they are truly from the network. Any other source address found in a packet leaving the network is invalid and is most likely an attempt by one of the many viruses, worms, or DoS tools that are in the wild to spoof someone else's network address. Your border routers can be used to halt this traffic just by implementing a basic access control list (ACL), as demonstrated here using our sample address of

Access-list Egress Permit Any
Access-list Egress Deny IP Any Any Log

Some of you may be thinking, "Is this it?" Actually, it is; this simple ACL allows only properly addressed source packets to leave the network and logs all others. Implementing a simple ingress and egress ACL can make your network much more secure against network spoofing and is actually easy to implement. The best time to react to network spoofing is before it happens. I hope each of you takes a few minutes to consider these changes and help stop spoofing before it ever happens.

About the author:
Michael Gregg has more than 15 years of experience in IT. Michael is the President of Superior Solutions, Inc., a Houston-based training and consulting firm. He is an expert on networking, security and Internet technologies. He holds two associates degrees, a bachelor's degree and a master's degree. He presently maintains the following certifications: MCSE, MCT, CTT, A+, N+, CNA, CCNA, CIW Security Analyst and TICSA.

This was last published in April 2006

Dig Deeper on Network Security Monitoring and Analysis