This seems a common auditor question ?

Unanswered Question
May 25th, 2007

Are Egress and Ingress Filters installed on all border routers to prevent impersonation with spoofed IP addresses?

I cant seem to get my head around the logic unless I start to specify criteria such as it must be the spoofed addresses are RFC1918 compliant. My current view on this is its a half question that cant be fully answered.

Any views on this ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Richard Burts Fri, 05/25/2007 - 13:01

julian

determining with certainty whether an address is spoofed or not is very difficult. But some spoofing is very easy to detect (and you should be looking for these at your border routers):

- on incoming traffic, is the source address an address from your internal network? if so it must be spoofed.

- on outgoing traffic, is the source address an address that is not in your internal network? if so it must be spoofed.

These spoofing checks are easy and should be done.

HTH

Rick

ju_mobile Fri, 06/01/2007 - 00:45

Hi Rick,

Thanks for your comments.. However, if you read my question.

"unless I start to specify criteria such as it must be the spoofed addresses are RFC1918 compliant"

Which is the Private address space. But, the common question does not detail specific criteria and this is what I was trying to identify. Without specifying criteria of RFC1918 address spaces or the address as being equal to that of yor internal network. How can you then monitor for spoofed addresses... perhaps a question that all of those non technical auditors out there need to rewrite.

mhellman Fri, 06/01/2007 - 05:46

http://www.faqs.org/rfcs/rfc2827.html

Try a google search on "detecting spoofed TCP packets". There are some more "general" approaches to detecting spoofed packets.

This doc explains a few: http://seclab.cs.ucdavis.edu/papers/DetectingSpoofed-DISCEX.pdf

FWIW, packets sourced with RFC1918 addresses at your gateway aren't necessarily spoofed. It could just be a case where someone's NAT is all horked up. You should still filter them of course.

Actions

This Discussion