IP spoofing is the act of camouflaging your IP address to make it look like you are someone else. Although IP spoofing is not an attack by itself, it is the starting point of many of the most common attacks found on today’s networks.
Most, but not all, of the spoofing attacks that take place start with someone on the outside of your network spoofing their IP address to make it look like they are part of the inside of your network. Since all private networks worldwide follow the standards of RFC 1918, knowing what IP addresses a company is using inside their network is not complex.
RFC 1918 defines that the following IP addresses are usable inside private networks.
10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
Based on the above, the most obvious first step is to deny traffic that has a source IP address inside the RFC 1918 block that is coming into your network from the outside interface. The outside interface should have outside (public) IP addresses as their source. There would be no valid reason for an IP address on the outside of your network falling within that range.
Further to the RFC 1918 block of addresses, we also need to block any source coming from the following:
local loopback (127.0.0.1)
network address (0.0.0.0)
broadcast address (255.255.255.255)
Private multicast range (224.0.0.0 /4 )
Here is the configuration breakdown for the above scenario
AOIP.ORG(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
AOIP.ORG(config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
AOIP.ORG(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
The above are the RFC 1918 Unicast IP addresses
AOIP.ORG(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
Local loopback restriction
AOIP.ORG(config)# access-list 100 deny ip 0.0.0.0 0.255.255.255 any log
Network address restriction
AOIP.ORG(config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any log
Private multicast range restriction
AOIP.ORG(config)# access-list 100 deny ip host 255.255.255.255 any log
Broadcast source address restriction
AOIP.ORG(config)# access-list 100 permit ip any 192.168.1.0 0.0.0.255
There is an implicit deny any at the bottom of every access list, so without a permit statement, NO traffic would be allowed. In the above entry I have allowed any traffic to go to the destination address 192.168.1.0 /24 (My internal network)
AOIP.ORG(config)# interface fa0/0
For example purposes FastEthernet 0/0 is my outside interface
AOIP.ORG(config-if)# ip access-group 100 in
I have applied this ACL inbound, which will also protect the router from been attacked.
AOIP.ORG(config-if)# exit
AOIP.ORG(config)#
Not only do we want to prevent people from the outside of our network ‘pretending’ they are inside our network, we also want to prevent our inside people from spoofing to a different IP address as well. The above configuration had a focus on traffic INBOUND to our network, the below configuration is focused on preventing OUTBOUND traffic from spoofing.
AOIP.ORG(config)# access-list 105 permit ip 192.168.1.0 0.0.0.255 any
The only range that is allowed to transmit is my internal network, in this case 192.168.1.0 /24
AOIP.ORG(config)# access-list 105 deny ip any any log
Although there is an implicit ‘deny any’ at the end of all ACL’s, I have included this with the log statement so I can see how many attempts have been made by internal machines to spoof their address before leaving the network
AOIP.ORG(config)# interface fa0/1
For example purposes, interface FastEthernet 0/1 is my inside interface
AOIP.ORG(config-if)# ip access-group 105 in
I have applied this ACL inbound, which will also protect the router from been attacked.
AOIP.ORG(config-if)# exit
AOIP.ORG(config)#
6 thoughts on “IP Address Spoofing Mitigation with Access Control Lists (ACL)”
Hello from Russia!
Can I quote a post in your blog with the link to you?
I bookmarked this link. Thank you for good job!
I understand the need to create IP Spoofing, I do have one issue come up.
I have a webserver on my local LAN.
Webserver is setup in public DNS relm.
I recently replaced the linksys with Cisco 1811 router.
I have added all needed ACL and NAT rules for Website access and externally it works great
Since I added 1811 router my LAN users are unable to access the site by Name.
So I assume Cisco see LAN Source as 192.168.x.x and the Cisco thinks its a spoofed address and drops traffic.
What rules can I added to allow my LAN users acecss to the webserver with its DNS name ?
Hi Rob,
If your users can still access the server with IP address then spoofing is not the problem but rather a DNS problem. Your router doesn’t care if you access with DNS, it only knows about IP addresses and only cares about what the source IP / destination IP / Protocol and Port are required for the connection. If your DNS is resolving to the wrong IP address, this could be the problem, but it all depends if you can still access it via it’s IP address directly?
Hope this helps,
Jay
P.S – Sorry for the delay, I fell off the planet for a while, but I’m back now 🙂
Thanks for the clarification, this is perfect