Packet Spoofing

Packet sent using the IP protocol include the IP address of the sender. The recipient directs replies to the sender using this source address. However the correctness of this address is not verified by the protocol. The IP protocol specifies no method for validating the authenticity of the packet’s source. This implies that an attacker could forge the source address to be any that he desires.  Sending IP packets with forged source addresses is known as packet spoofing and is used by attackers for several purposes. For example – obscuring the true source of the attack; implicating another sire as the attack origin, pretending to be a trusted host, hijacking or intercepting network traffic, or causing replies to target another system.

Attack Vectors

Spoofing of network traffic can occur at different layers:

  • At the data link  layer ( MAC spoofing )
  • At the network layer ( IP spoofing )
  • At the application layer ( DNS spoofing )

A related issues are attacks that cause packets to be routed to a different host than sender intends. These are attacks on routing and the DNS system. Packet spoofing is restricted to false source address in the IP packet header. Because packet spoofing can be part of many different type of attacks, it is important to have understanding of how they are used . A key factor in all packet-spoofing  attacks is that is not necessary for the attacker to directly receive packet replies from the target . Replies are either unimportant , their contents can be inferred , or the packets can be observed in transit . You can see how this happen on the figure below:

Untitled

  • Syn flood
  • UDP flood
  • Smurf flood
  • TCP connection Spoofing
  • Bounce Scan
  • Zombie control

 

Because routers (or Layer3 switches ) know which IP addresses originate with which network interface it is possible for them to identify packets that should not have been received by a particular interface . For example a border router or gateway will know whether addresses are internal to the network or external, so on that base we can use packet filters to allow only sources that belong to their ip address space to come from internal interfaces but this is quite hard for administration and keeping up to date , The better method is to enable  uRPF checks in routing table, this method checks routing table for particular prefix and the source ip address of the packet if packet come from other interface router will drop this packet , this method should be use on routers where no asymmetrical routing  is possible.

Mitigations

1. Anti-spoofing with Access Lists
As networks vary and configuration depends on the network boundaries and address space allocations, there is no template or straigthforward sample configuration that can provide a list of commands to configure anti-spoofing access lists. However, the basic objective is to drop packets that arrive on interfaces that are not viable paths from the supposed source addresses of those packets. In summary, configure the ACL to;
• Deny incoming packets if source address is allocated to your network
• Deny outbound packets if source address is not allocated to your network
In general, anti-spoofing ACLs are best deployed as input access lists; that is, packets must be filtered at the ingress interfaces, not at the interfaces through which they exit the router. The input access list also protects the router itself from spoofing attacks, whereas an output list protects only devices behind the router.

 

2. Anti-spoofing with uRPF

The uRPF feature is a security tool that helps mitigate source IP address spoofing by discarding IP packets that lack a verifiable IP source address in the IP routing table.
Unicast Reverse Path Forwarding (uRPF) is also a common technique used to mitigate source address spoofing. When uRPF is used, the source address of IP packets is checked to ensure that the route back to the source uses the same interface that the packet arrived on. If the input interface is not a feasible path to the source network, the packet will be dropped.
There are two types of uRPF implementation:
• Strict Mode complying with RFC 2827 filters on Network Ingress Edge and Best Current Practices (BCP 38)
• Loose Mode for ISP to ISP Edge, for RTBH filtering

 

3. Anti-spoofing with IP Source Guard

IP Source Guard is a Layer 2 security feature that prevents IP spoofing attacks by restricting IP traffic on untrusted Layer 2 ports to clients with an assigned IP address.
This feature works by filtering IP traffic with a source IP address other than that assigned via Dynamic Host Configuration Protocol (DHCP) or static configuration on the untrusted Layer 2 ports.
IP Source guard feature works in combination with the DHCP snooping feature available on Catalyst switches and is enabled on untrusted Layer 2 ports.