IP Spoofing Question

Computadora

I was watching the CBT nuggets security+ videos where the presenter mentioned that a way to mitigate IP spoofing was to use private address space or RFC 1918 for your internal network. I do not understand though why can an attacker not spoof a private IP address?

sidsanders

the reason might be: the priv ip ranges theoretically should never arrive on your internet facing (external) interfaces.

one of the best ways to deal with it is to use firewalls and make sure they can do ip spoofing checks. set the external facing interface to never allow an ip from one of the priv ranges in, and not allow any other ip range that is behind (internal) in from the external side.

froufrou123

Routers drop packets with private IP as the source. In other words, private addresses aren't routable like global public addresses.

broc

froufrou123 wrote: »

Routers drop packets with private IP as the source. In other words, private addresses aren't routable like global public addresses.

Hmm, that's not quite true. Routers won't drop those packets out of the box. It is something you have to configure. Imagine if your internal router was dropping all packets with a private IP in the header, that might cause some problem

QHalo

This might help you understand it a bit better and also some mitigation techniques from a Cisco standpoint.

Prevent IP spoofing with the Cisco IOS

froufrou123

broc wrote: »

Hmm, that's not quite true. Routers won't drop those packets out of the box. It is something you have to configure. Imagine if your internal router was dropping all packets with a private IP in the header, that might cause some problem

I see, so routers must have ACLs rejecting any pckts with private IP addresses as source on downstream ports, also pckts sourced to be outside of internal subnets on upstream ports.

Aside from other helpful links, this link may also help understand the concept: IP Spoofing: An Introduction | Symantec Connect