Vulnerability Development mailing list archives

Re: Automatic antispoofing rules on access servers.

From: Ben Galehouse <bgalehou () PACBELL NET>
Date: Tue, 19 Sep 2000 20:46:41 -0700

LOS Ralph wrote:

We are using a SonicWall for security on some branch offices.  I've
had very good success with this product in blocking spoofed IP
traffic.  All the firewall will do is log the traffic, yell at the
admin receiving alerts, and drop the spoofed traffic before it passes
the firewall - or so I'm told.  I've not had time to research this
more thoroughly as I'm not well-versed in spoofing IP's (yet).

....and that's my $0.02


The typical prepackaged firewall configuration will only block things so
badly spoofed that there is no way that the return address could be
real.  E.G. A packet with an address from the 10.0.0.0/8 subnet should
never be seen outside of a private network.  So if such comes in from
your dsl provider, it is a no brainer to drop it on the floor. I think
that most consumer grade firewalls mean this when they advertise
spoofing protection.

If you are only managing a single subnet, this is about as much
protection as you would get from the cisco rpf stuff.  There is only one
route, and if something comes in from the outside with a real IP that
you don't own, you can't tell if it was spoofed.

Once you have multiple subnets with static routes between them, you can
hand write packet filter rules to protect you from internal spoofing.
Packets from this subnet should not be heading out of that subnet, etc.
Once you have dynamic routes, the cisco rpf stuff starts to look real
exciting.  External spoofing protection is still little better than the
abovementioned 'drop those from private nets' because there isn't do
much better.

When your topology is simple in the sense that you have all untrusted
clients within subnets, each subnet having one router connecting to a
backbone, then there is a simpler (and cheaper) approach which
accomplishes the same thing.  Add a rule to each router which only lets
out packets who's return address is in the subnet.  While you'll never
know for certain which machine a packet came from, you'll at least know
that your resident script kiddies are more limited in who they can
pretend to be.

Current thread:

Re: Automatic antispoofing rules on access servers. LOS Ralph (Sep 19)
- Re: Automatic antispoofing rules on access servers. Ben Galehouse (Sep 19)
  - Re: Automatic antispoofing rules on access servers. Crist Clark (Sep 20)
- <Possible follow-ups>
- Re: Automatic antispoofing rules on access servers. Jeffrey Karpenko (Sep 20)
- Re: Automatic antispoofing rules on access servers. Leon Rosenstein (Sep 20)
  - Re: Automatic antispoofing rules on access servers. Ben Galehouse (Sep 20)