Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7360
Views
4
Helpful
6
Replies

AntiSpoofing access-list for Router

logan-7
Level 1
Level 1

‎03-12-2003 05:18 AM - edited ‎02-20-2020 09:20 PM

I need to put AntiSpoofing access-list on my boarder router.

Can some one give me some examples?\

Thanks

Labels:
0 Helpful
6 Replies 6

steve.barlow
Level 7
Level 7

‎03-12-2003 06:06 AM

RFC 2267 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing January 1998, http://www.landfield.com/ftp/rfc/rfc2267.txt , provides general guidelines on Ingress and Egress filtering.

No one from the general Internet should be sending you packets with a source address from your own network. By filtering packets on your routers that connect your network to the Internet, you can permit only packets with valid source IP addresses to leave your network and get into the Internet. For example, if your internal network is 200.200.200.0/24, put an acl that only allows outbound packets with a source of 200.200.200.0/24 (or if your using NAT, only those IPs). And your inbound acl shouldn't allow packets with a source IP of your internal network.

A simple outbound example (not including filtering by port):

access-list 110 permit ip 200.200.200.0 0.0.0.255 any

access-list 110 deny ip any any log

!

interface serial 0/1

description connection to internet

ip access-group 110 out

An sample inbound example can be seen at: http://www.rpatrick.com/tech/acl/ .

Key is to deny source packets with an IP of your network and also to only open the ports that are required.

eg.

access-list 180 deny ip host 0.0.0.0 any log

access-list 180 deny ip 0.0.0.0 1.255.255.255 any log

access-list 180 deny ip 10.0.0.0 0.255.255.255 any log

access-list 180 deny ip 172.16.0.0 0.15.255.255 any log

access-list 180 deny ip 192.168.0.0 0.0.255.255 any log

access-list 180 deny ip 224.0.0.0 31.255.255.255 any log

access-list 180 deny ip 200.200.200.0 0.0.0.255 any log (your network)

access-list 180 permit tcp .....

Hope it helps.

Steve

mcelec
Level 1
Level 1
In response to steve.barlow

‎04-21-2003 04:29 PM

A Reflexive ACL can helps you, it depends your aplication.

I hope that helps.

mc

0 Helpful

elias.gonzalez
Level 1
Level 1
In response to steve.barlow

‎07-15-2019 11:50 AM

Hi there. I'm quite noob about networking...should I create those rules in every router or just in the edge one? Thanks in advance.
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to elias.gonzalez

‎07-20-2019 11:41 AM

Those suggested access lists are checking the source address of traffic and make sense when applied on public facing interfaces of your edge routers. They could be quite harmful if applied on inward facing interfaces of edge routers or on routers inside your network. It is likely that your network will be using some subnets from 10, or from 172.16, or from 192.168 and you would not want to deny their traffic. So apply the anti spoofing access lists only on the edge routers.

 

HTH

 

Rick

HTH

Rick
0 Helpful

shannong
Level 4
Level 4

‎03-12-2003 09:04 PM

I also recommend adding 127.0.0.0/0.255.255.255 to the excellent example provided by mr. barlow.

The point of the ACL is to deny all traffic which can never be valid to enter the Internet facing interface. This includes all traffic sourced from Private IPs, your own IPs, loopbacks, etc.

0 Helpful

fnascimento
Level 1
Level 1
In response to shannong

‎04-17-2003 01:38 PM

What about

ip route 10.0.0.0 255.0.0.0 Null0

ip route 127.0.0.0 255.0.0.0 Null0

ip route 172.16.0.0 255.240.0.0 Null0

ip route 192.168.0.0 255.255.0.0 Null0

I agree that "access-list" gives you the option of logging, but what do you think will be the pros and cons here?

Kind regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents