Home
Using ACL to Mitigate IP Address Spoofing

Using ACL to Mitigate IP Address Spoofing

Rashmi Bhardwaj | | Blog, Config & Troubleshoot, Security |
Advertisements

Spoofing is a practice used to gain unauthorised access to machines/server applications, whereby an attacker unlawfully imitates another machine by manipulating IP packets. Although IP spoofing is not an attack, it is the starting point of many attacks prevalent in today’s networks.

Spoofing attack initiates from outside unsecured Internet and someone on the outside of the LAN network spoofs the company inside IP address to make it look like they are part of the inside of your network.

The key here is to deny RFC 1918 IP block that is coming into your network from the outside interface. In addition to RFC 1918 block of addresses, we also need to block any source coming from local loopback, Network, Broadcast address and multicast range –

RFC 1918 private address block is –

cisco anti spoofing

Other sources to block include –

cisco anti spoofing

Step by step configuration to mitigate IP Spoofing attack is as below –

Step 1 –

Call RFC 1918 block in access list (here ACL is 101)

R1(config)# access-list 101 deny ip 10.0.0.0 0.255.255.255 any logR1(config)# access-list 101 deny ip 172.16.0.0 0.15.255.255 any log

R1(config)# access-list 101 deny ip 192.168.0.0 0.0.255.255 any log

Step 2 –

Call other sources in access list (here ACL is 101)

R1(config)# access-list 101 deny ip 127.0.0.0 0.255.255.255 any logR1(config)# access-list 101 deny ip 0.0.0.0 0.255.255.255 any log

R1(config)# access-list 101 deny ip 224.0.0.0 15.255.255.255 any log

R1(config)# access-list 101 deny ip host 255.255.255.255 any log

R1(config)# access-list 101 permit ip any 192.168.5.0 0.0.0.255

Traffic is permitted to the destination address 192.168.5.0 /24 which is LAN IP Address

Step 3 –

Apply ACL to outside Interface (Gi0/0 is outside/Internet Interface)

R1(config)# interface Gi0/0R1(config-if)# ip access-group 101 in

Not only do we want to prevent people from the outside of our network ‘pretending’ they are inside our network, we also want to prevent our inside people from spoofing to a different IP address as well. The above configuration had a focus on traffic INBOUND to our network,

Below configuration will prevent OUTBOUND traffic from spoofing.

Step 4 –

The only range that is allowed to transmit is my internal network, in this case 192.168.5.0 /24

R1(config)# access-list 110 permit ip 192.168.5.0 0.0.0.255 anyR1(config)# access-list 110 deny ip any any log

Step 5 –

Apply ACL to outside Interface (Gi0/0 is inside/secured Interface)

R1(config)# interface Gi0/1R1(config-if)# ip access-group 110 in

Related- Difference b/w ACL on Router and Firewall

Related- Time-based ACL

 

Tags: ,

Related Posts

About The Author

Rashmi Bhardwaj
More From This Author

I am here to share my knowledge and experience in the field of networking with the goal being - "The more you share, the more you learn." I am a biotechnologist by qualification and a Network Enthusiast by interest. I developed interest in networking being in the company of a passionate Network Professional, my husband. I am a strong believer of the fact that "learning is a constant process of discovering yourself." - Rashmi Bhardwaj (Author/Editor)

No Responses

Add Comment

Social Media Auto Publish Powered By : XYZScripts.com
Select your currency
USD United States (US) dollar
INR Indian rupee