IP spoofing is the act of camouflaging your IP address to make it look like you are someone else. Although IP spoofing is not an attack by itself, it is the starting point of many of the most common attacks found on today’s networks.
Most, but not all, of the spoofing attacks that take place start with someone on the outside of your network spoofing their IP address to make it look like they are part of the inside of your network. Since all private networks worldwide follow the standards of RFC 1918, knowing what IP addresses a company is using inside their network is not complex.
RFC 1918 defines that the following IP addresses are usable inside private networks.
10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
Based on the above, the most obvious first step is to deny traffic that has a source IP address inside the RFC 1918 block that is coming into your network from the outside interface. The outside interface should have outside (public) IP addresses as their source. There would be no valid reason for an IP address on the outside of your network falling within that range.
Further to the RFC 1918 block of addresses, we also need to block any source coming from the following:
local loopback (127.0.0.1)
network address (0.0.0.0)
broadcast address (255.255.255.255)
Private multicast range (224.0.0.0 /4 )
Here is the configuration breakdown for the above scenario
AOIP.ORG(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
AOIP.ORG(config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
AOIP.ORG(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
The above are the RFC 1918 Unicast IP addresses
AOIP.ORG(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
Local loopback restriction
AOIP.ORG(config)# access-list 100 deny ip 0.0.0.0 0.255.255.255 any log
Network address restriction
AOIP.ORG(config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any log
Private multicast range restriction
AOIP.ORG(config)# access-list 100 deny ip host 255.255.255.255 any log
Broadcast source address restriction
AOIP.ORG(config)# access-list 100 permit ip any 192.168.1.0 0.0.0.255
There is an implicit deny any at the bottom of every access list, so without a permit statement, NO traffic would be allowed. In the above entry I have allowed any traffic to go to the destination address 192.168.1.0 /24 (My internal network)
AOIP.ORG(config)# interface fa0/0
For example purposes FastEthernet 0/0 is my outside interface
AOIP.ORG(config-if)# ip access-group 100 in
I have applied this ACL inbound, which will also protect the router from been attacked.
AOIP.ORG(config-if)# exit
AOIP.ORG(config)#
Not only do we want to prevent people from the outside of our network ‘pretending’ they are inside our network, we also want to prevent our inside people from spoofing to a different IP address as well. The above configuration had a focus on traffic INBOUND to our network, the below configuration is focused on preventing OUTBOUND traffic from spoofing.
AOIP.ORG(config)# access-list 105 permit ip 192.168.1.0 0.0.0.255 any
The only range that is allowed to transmit is my internal network, in this case 192.168.1.0 /24
AOIP.ORG(config)# access-list 105 deny ip any any log
Although there is an implicit ‘deny any’ at the end of all ACL’s, I have included this with the log statement so I can see how many attempts have been made by internal machines to spoof their address before leaving the network
AOIP.ORG(config)# interface fa0/1
For example purposes, interface FastEthernet 0/1 is my inside interface
AOIP.ORG(config-if)# ip access-group 105 in
I have applied this ACL inbound, which will also protect the router from been attacked.
AOIP.ORG(config-if)# exit
AOIP.ORG(config)#
Related posts: