Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

This seems a common auditor question ?

Are Egress and Ingress Filters installed on all border routers to prevent impersonation with spoofed IP addresses?

I cant seem to get my head around the logic unless I start to specify criteria such as it must be the spoofed addresses are RFC1918 compliant. My current view on this is its a half question that cant be fully answered.

Any views on this ?

3 REPLIES
Hall of Fame Super Gold

Re: This seems a common auditor question ?

julian

determining with certainty whether an address is spoofed or not is very difficult. But some spoofing is very easy to detect (and you should be looking for these at your border routers):

- on incoming traffic, is the source address an address from your internal network? if so it must be spoofed.

- on outgoing traffic, is the source address an address that is not in your internal network? if so it must be spoofed.

These spoofing checks are easy and should be done.

HTH

Rick

New Member

Re: This seems a common auditor question ?

Hi Rick,

Thanks for your comments.. However, if you read my question.

"unless I start to specify criteria such as it must be the spoofed addresses are RFC1918 compliant"

Which is the Private address space. But, the common question does not detail specific criteria and this is what I was trying to identify. Without specifying criteria of RFC1918 address spaces or the address as being equal to that of yor internal network. How can you then monitor for spoofed addresses... perhaps a question that all of those non technical auditors out there need to rewrite.

Gold

Re: This seems a common auditor question ?

http://www.faqs.org/rfcs/rfc2827.html

Try a google search on "detecting spoofed TCP packets". There are some more "general" approaches to detecting spoofed packets.

This doc explains a few: http://seclab.cs.ucdavis.edu/papers/DetectingSpoofed-DISCEX.pdf

FWIW, packets sourced with RFC1918 addresses at your gateway aren't necessarily spoofed. It could just be a case where someone's NAT is all horked up. You should still filter them of course.

155
Views
4
Helpful
3
Replies
CreatePlease to create content