IP Address Spoofing Attack

Spoofing is a means to hide one’s true identity on the network. To create a spoofed identity, an attacker uses a fake source address that does not represent the actual address of the packet. Spoofing may be used to hide the original source of an attack or to work around network access control lists (ACLs) that are in place to limit host access based on source address rules.

Many attacks utilize source IP address spoofing to be effective or to conceal the true source of an attack and hinder accurate traceback. Cisco IOS software provides Unicast RPF and IP Source Guard (IPSG) to deter attacks that rely on source IP address spoofing. In addition, ACLs and null routing are often deployed as a manual means of spoofing prevention.

IP Source Guard is effective at minimizing spoofing for networks that are under direct administrative control by performing switch port, MAC address, and source address verification. Unicast RPF provides source network verification and can reduce spoofed attacks from networks that are not under direct administrative control. Port Security can be used in order to validate MAC addresses at the access layer. Dynamic Address Resolution Protocol (ARP) Inspection (DAI) mitigates attack vectors that utilize ARP poisoning on local segments.

IP spoofing is most frequently used in denial-of-service attacks. In such attacks, the goal is to flood the victim with overwhelming amounts of traffic, and the attacker does not care about receiving responses to the attack packets. Packets with spoofed addresses are thus suitable for such attacks. They have additional advantages for this purpose—they are more difficult to filter since each spoofed packet appears to come from a different address, and they hide the true source of the attack. Denial of service attacks that use spoofing typically randomly choose addresses from the entire IP address space, though more sophisticated spoofing mechanisms might avoid unroutable addresses or unused portions of the IP address space.

Mitigation

Anti-Spoofing ACLs, uRPF, Firewall Rules, Disable IP Source Routing, IP Source Guard

Anti-Spoofing ACLs

Manually configured ACLs can provide static anti-spoofing protection against attacks that utilize known unused and untrusted address space. Commonly, these anti-spoofing ACLs are applied to ingress traffic at network boundaries as a component of a larger ACL. Anti-spoofing ACLs require regular monitoring as they can frequently change. Spoofing can be minimized in traffic originating from the local network by applying outbound ACLs that limit the traffic to valid local addresses.

Unicast RPF

Unicast RPF enables a device to verify that the source address of a forwarded packet can be reached through the interface that received the packet. You must not rely on Unicast RPF as the only protection against spoofing.

Firewall Rules

Firewalls are networking devices that control access to your organization’s network assets. Firewalls are positioned at the entrance points into your network. If your network has multiple entrance points, you must position a firewall at each point to provide effective network access control. Stateful Packet Inspection (SPI) is at the heart of Cisco IOS Firewall, providing a per-application control mechanism across network perimeters, as well as within networks through the Transparent Firewall capability. Stateful Packet Inspection was known as Context-Based Access Control (CBAC) in early versions of Cisco IOS Firewall, but the name was changed as the feature set was enhanced and augmented far beyond the original CBAC capability. The inspection engine tracks the state and context of network connections to secure traffic flow.

CBAC examines not only network layer and transport layer information, but also examines the application-layer protocol information (such as FTP information) to learn about the state of TCP and UDP connections. CBAC maintains connection state information for individual connections. This state information is used to make intelligent decisions about whether packets should be permitted or denied, and dynamically creates and deletes temporary openings in the firewall.

Disable IP Source Routing

 

IP source routing leverages the Loose Source Route and Record Route options in tandem or the Strict Source Route along with the Record Route option to enable the source of the IP datagram to specify the network path a packet takes. This functionality can be used in attempts to route traffic around security controls in the network.

If IP options have not been completely disabled via the IP Options Selective Drop feature, it is important that IP source routing is disabled.

IP Source Guard (IPSG)

IP Source Guard is an effective means of spoofing prevention that can be used if you have control over Layer 2 interfaces. IP Source Guard uses information from DHCP snooping to dynamically configure a port access control list (PACL) on the Layer 2 interface, denying any traffic from IP addresses that are not associated in the IP source binding table.