Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Anti-spoofing for the router with ACL

Internet router’s access list

access-list 100 permit tcp any gt 1023 host 123.123.123.1 eq www log

access-list 100 deny ip any any log

With the above access list that build to allow http services to get into the web server and also with a last statement that deny any other traffic coming into my web server. Do I still need to build the access list that deny the following IP address range for Anti-spoofing?

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

127.0.0.0/8

224.0.0.0/4

240.0.0.0/5

0.0.0.0

255.255.255.255

All Internal network addresses.

If the answer is yes than why it is so.

Your advise please.

4 REPLIES
Cisco Employee

Re: Anti-spoofing for the router with ACL

The line you have in your ACL will still allow traffic with any source address through, even invalid ones or ones that are actually on your internal network (spoofed packets). For example, I could create a HTTP packet source from one of your internal servers, and destined to your internal WWW server, and it will get through your access list. To be honest though, it doesn't really matter since the internal server that I spoof will simply drop the response packet from your HTTP server cause it didn't send out the original.

I guess it depends on how secure you want to be. It certainly wouldn't hurt to add stuff like:

access-list 100 deny 10.0.0.0 0.255.255.255 any

access-list 100 deny 172.16.0.0 0.15.255.255 any

.......

access-list 100 permit tcp any gt 1023 host 123.123.123.1 eq www

access-list 100 deny ip any any log

so that the spoofed packets are dropped straight away.

Also, I would be very careful with adding the "log" keyword to your ACl lines, if you get a lot of traffic you can put a lot of load on the router.

New Member

Re: Anti-spoofing for the router with ACL

That is great info. Could you let me know a URL site that I can visit to find out more detail about using ACL to block spoofing attack. I need to know more detail about it on how exactly to build an ACL to block them.

Cisco Employee

Re: Anti-spoofing for the router with ACL

New Member

Re: Anti-spoofing for the router with ACL

I think it can also be concluded that ACL deny ip any any does not automatically secure your network by default. It is very much depend on how your network is being attack. Network spoofing is one of the typical example.

Is there any where I can refer to regarding what the “deny any any” can not help to secure the network. I mean more detail understanding.

612
Views
0
Helpful
4
Replies
CreatePlease to create content