Stopping IP Address Spoofing Attack

Introduction to Ip Spoofing, Visit Here.

Packet filtering

The router that connects a network to another network is known as a border router. One way to mitigate the threat of IP spoofing is by inspecting packets when they the leave and enter a network looking for invalid source IP addresses. If this type of filtering were performed on all border routers, IP address spoofing would be greatly reduced. 

Egress filtering checks the source IP address of packets to ensure they come from a valid IP address range within the internal network. When the router receives a packet that contains an invalid source address, the packet is simply discarded and does not leave the network boundary.

Ingress filtering checks the source IP address of packets that enter the network to ensure they do not come from sources that are not permitted to access the network. At a minimum, all private, reserved, and internal IP addresses should be discarded by the router and not allowed to enter the network.

In Linux, packet filtering can be enabled using:

echo 2 > /proc/sys/net/ipv4/conf/*/rp_filter

Limits of packet filtering

Packet filtering normally may not prevent a system from participating in an attack if the spoofed IP address used could fall within the valid internal address range. However it will simplify the process of tracing the packets, since the systems will have to use a source IP address within the valid IP range of the network.

We take the campus network as example:

The network number is 132.230.0.0/16. The packet filtering of the router is enabled.

For IP packet 1, host 132.230.4.1 forges a packet from 132.230.4.4, the source IP address is in the valid IP range, the router thinks it is valid packet and sends it out to internet.

For IP packet 2, host 132.230.4.4 forges a packet from 191.224.4.25, the source IP address is not in the valid IP range, the router thinks it is invalid and discards it.

Packet filtering can pose problems if you use splitting routing (packets from you to a host take a different path than packets from that host to you). If splitting routing is in use, enabling packet filtering facility will block all packets with spoofed source addresses.

To turn rp_filter off, use:

echo 0 > /proc/sys/net/ipv4/conf/<device>/rp_filter

or

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

Instances where you might need to disable packet filtering include:

• If you want to do asymmetric routing (accepting returning packets inbound an interface other than the outbound interface).

• If the box has multiple interfaces up on the same network.

• If you are using special VPN interfaces to tunnel traffic (e.g. FreeS/WAN)

Another problem is that many ISPs do not have the technical ability to arrange packet filtering to block packets with spoofed source addresses. Also, packet filtering reduces equipment performance.

So, well the thread to Stop Ip Spoofing Attack ends here. Well, I guess you all understand the thread I post on this site, if you have any suggestion or any problem related to any thread. Please do share with me in comments.

Thanks