05-25-2007 08:52 AM - edited 03-09-2019 06:03 PM
Are Egress and Ingress Filters installed on all border routers to prevent impersonation with spoofed IP addresses?
I cant seem to get my head around the logic unless I start to specify criteria such as it must be the spoofed addresses are RFC1918 compliant. My current view on this is its a half question that cant be fully answered.
Any views on this ?
05-25-2007 01:01 PM
julian
determining with certainty whether an address is spoofed or not is very difficult. But some spoofing is very easy to detect (and you should be looking for these at your border routers):
- on incoming traffic, is the source address an address from your internal network? if so it must be spoofed.
- on outgoing traffic, is the source address an address that is not in your internal network? if so it must be spoofed.
These spoofing checks are easy and should be done.
HTH
Rick
06-01-2007 12:45 AM
Hi Rick,
Thanks for your comments.. However, if you read my question.
"unless I start to specify criteria such as it must be the spoofed addresses are RFC1918 compliant"
Which is the Private address space. But, the common question does not detail specific criteria and this is what I was trying to identify. Without specifying criteria of RFC1918 address spaces or the address as being equal to that of yor internal network. How can you then monitor for spoofed addresses... perhaps a question that all of those non technical auditors out there need to rewrite.
06-01-2007 05:46 AM
http://www.faqs.org/rfcs/rfc2827.html
Try a google search on "detecting spoofed TCP packets". There are some more "general" approaches to detecting spoofed packets.
This doc explains a few: http://seclab.cs.ucdavis.edu/papers/DetectingSpoofed-DISCEX.pdf
FWIW, packets sourced with RFC1918 addresses at your gateway aren't necessarily spoofed. It could just be a case where someone's NAT is all horked up. You should still filter them of course.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide