Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1269
Views
0
Helpful
4
Replies

Anti-spoofing for the router with ACL

wanab
Level 1
Level 1

‎06-24-2002 07:08 PM - edited ‎02-20-2020 09:17 PM

Internet router’s access list

access-list 100 permit tcp any gt 1023 host 123.123.123.1 eq www log

access-list 100 deny ip any any log

With the above access list that build to allow http services to get into the web server and also with a last statement that deny any other traffic coming into my web server. Do I still need to build the access list that deny the following IP address range for Anti-spoofing?

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

127.0.0.0/8

224.0.0.0/4

240.0.0.0/5

0.0.0.0

255.255.255.255

All Internal network addresses.

If the answer is yes than why it is so.

Your advise please.

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎06-24-2002 10:36 PM

The line you have in your ACL will still allow traffic with any source address through, even invalid ones or ones that are actually on your internal network (spoofed packets). For example, I could create a HTTP packet source from one of your internal servers, and destined to your internal WWW server, and it will get through your access list. To be honest though, it doesn't really matter since the internal server that I spoof will simply drop the response packet from your HTTP server cause it didn't send out the original.

I guess it depends on how secure you want to be. It certainly wouldn't hurt to add stuff like:

access-list 100 deny 10.0.0.0 0.255.255.255 any

access-list 100 deny 172.16.0.0 0.15.255.255 any

.......

access-list 100 permit tcp any gt 1023 host 123.123.123.1 eq www

access-list 100 deny ip any any log

so that the spoofed packets are dropped straight away.

Also, I would be very careful with adding the "log" keyword to your ACl lines, if you get a lot of traffic you can put a lot of load on the router.

0 Helpful

wanab
Level 1
Level 1
In response to gfullage

‎06-24-2002 10:59 PM

That is great info. Could you let me know a URL site that I can visit to find out more detail about using ACL to block spoofing attack. I need to know more detail about it on how exactly to build an ACL to block them.

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to wanab

‎06-24-2002 11:14 PM

You could try:

http://www.cisco.com/warp/public/707/21.html#spoofing

0 Helpful

wanab
Level 1
Level 1
In response to gfullage

‎06-25-2002 06:03 PM

I think it can also be concluded that ACL deny ip any any does not automatically secure your network by default. It is very much depend on how your network is being attack. Network spoofing is one of the typical example.

Is there any where I can refer to regarding what the “deny any any” can not help to secure the network. I mean more detail understanding.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents