Prevent IP spoofing

ZomboidicusZomboidicus Member Posts: 105 ■■□□□□□□□□
Hello. I have a question to help me understand this.

In CCNA Security OFG written by Keith Barker, it is mentioned several times that you can prevent IP spoofing by either implementing a ACL on ingress traffic that denies IPs that have the address of:

10.0.0.0/8
172.16 ~ 31.0 /16
192.168.0.0/16
127.0.0.0/8
and so on

Or by implementing unicast reverse path forwarding on an interface.

My question is, how are the addresses that I described above can be routed to your network when they are private addresses?
2016 Certification Goals: Who knows :D

Comments

  • SecurityThroughObscuritySecurityThroughObscurity Member Posts: 212 ■■■□□□□□□□
    The answer is a UDP packet. You don't need to make a 3way handshake, you can spoof a source address.
    Many ISPs don't use URPF, they don't check the source addresses of their clients, because of this we have seen the increased number of dns amplification attacks.
  • ZomboidicusZomboidicus Member Posts: 105 ■■□□□□□□□□
    Thank you for your reply. That gave me something to look further into this. Please let me know if I'm incorrect.

    I found out that when you use UDP packets to spoof RFC 1918 addresses, it will not be routed back to you. And if the organizations router or ISP's router does not have any implementation to deny it with, it will still forward the packet based on the destination address. For example, attacker can form attacks using SNMP shutdown command to routers using UDP packets, it may succeed if attacker has somehow obtained the SNMP password. However, attacker will not receive any confirmation whether it succeed it or not.
    2016 Certification Goals: Who knows :D
  • SecurityThroughObscuritySecurityThroughObscurity Member Posts: 212 ■■■□□□□□□□
    Yep.
    The question is why do you want to spoof with RFC 1918 addressess - no benefits for you.
Sign In or Register to comment.