06-24-2002 07:08 PM - edited 02-20-2020 09:17 PM
Internet routers access list
access-list 100 permit tcp any gt 1023 host 123.123.123.1 eq www log
access-list 100 deny ip any any log
With the above access list that build to allow http services to get into the web server and also with a last statement that deny any other traffic coming into my web server. Do I still need to build the access list that deny the following IP address range for Anti-spoofing?
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
127.0.0.0/8
224.0.0.0/4
240.0.0.0/5
0.0.0.0
255.255.255.255
All Internal network addresses.
If the answer is yes than why it is so.
Your advise please.
06-24-2002 10:36 PM
The line you have in your ACL will still allow traffic with any source address through, even invalid ones or ones that are actually on your internal network (spoofed packets). For example, I could create a HTTP packet source from one of your internal servers, and destined to your internal WWW server, and it will get through your access list. To be honest though, it doesn't really matter since the internal server that I spoof will simply drop the response packet from your HTTP server cause it didn't send out the original.
I guess it depends on how secure you want to be. It certainly wouldn't hurt to add stuff like:
access-list 100 deny 10.0.0.0 0.255.255.255 any
access-list 100 deny 172.16.0.0 0.15.255.255 any
.......
access-list 100 permit tcp any gt 1023 host 123.123.123.1 eq www
access-list 100 deny ip any any log
so that the spoofed packets are dropped straight away.
Also, I would be very careful with adding the "log" keyword to your ACl lines, if you get a lot of traffic you can put a lot of load on the router.
06-24-2002 10:59 PM
That is great info. Could you let me know a URL site that I can visit to find out more detail about using ACL to block spoofing attack. I need to know more detail about it on how exactly to build an ACL to block them.
06-24-2002 11:14 PM
You could try:
06-25-2002 06:03 PM
I think it can also be concluded that ACL deny ip any any does not automatically secure your network by default. It is very much depend on how your network is being attack. Network spoofing is one of the typical example.
Is there any where I can refer to regarding what the deny any any can not help to secure the network. I mean more detail understanding.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: