Re: Preventing Spoof Attacks

From: Tarun Pahuja (pahujat@gmail.com)
Date: Wed May 23 2007 - 16:14:48 ART

• Next message: backbone systems: "RE: Storage CCIE"
• Previous message: DWINKWORTH@wi.rr.com: "Re: FRTS and Be - first interval?"
• Maybe in reply to: graham@cisco-engineer.com: "Preventing Spoof Attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Graham,
                uRPF Checks to See if the Source Address's Reverse Path
Matches the Input Port. Source Address Must Match the FIB and Adjacency
Information in the CEF Table.

Source IP packets are checked to ensure that the route back to the source
uses the same interface
Requires CEF
Not always appropriate where asymmetric paths exist

Hope this helps.
Tarun Pahuja
CCIE#7707(R&S,Security,SP,Voice,Storage)

On 5/23/07, ffhanif <ffhaniff@gmail.com> wrote:
>
> I thought this might be useful:
>
>
>
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapt
er09186a00804fdef9.html
>
> Unicast RPF with Inbound and Outbound Filters Example
>
> The following example uses a very simple single-homed ISP to demonstrate
> the
> concepts of ingress and egress filters used in conjunction with Unicast
> RPF.
> The example illustrates an ISP-allocated classless interdomain routing
> (CIDR) block 209.165.202.128/28 that has both inbound and outbound filters
> on the upstream interface. Be aware that ISPs are usually not
> single-homed.
> Hence, provisions for asymmetrical flows (when outbound traffic goes out
> one
> link and returns via a different link) need to be designed into the
> filters
> on the border routers of the ISP.
>
> ip cef distributed
>
> !
>
> interface Serial 5/0/0
>
> description Connection to Upstream ISP
>
> ip address 209.165.200.225 255.255.255.252
>
> no ip redirects
>
> no ip directed-broadcast
>
> no ip proxy-arp
>
> ip verify unicast reverse-path
>
> ip access-group 111 in
>
> ip access-group 110 out
>
> !
>
> access-list 110 permit ip 209.165.202.128 0.0.0.31 any
>
> access-list 110 deny ip any any log
>
> access-list 111 deny ip host 0.0.0.0 any log
>
> access-list 111 deny ip 127.0.0.0 0.255.255.255 any log
>
> access-list 111 deny ip 10.0.0.0 0.255.255.255 any log
>
> access-list 111 deny ip 172.16.0.0 0.15.255.255 any log
>
> access-list 111 deny ip 192.168.0.0 0.0.255.255 any log
>
> access-list 111 deny ip 209.165.202.128 0.0.0.31 any log
>
> access-list 111 permit ip any any
>
> Unicast RPF with ACLs and Logging Example
>
> The following example demonstrates the use of ACLs and logging with
> Unicast
> RPF. In this example, extended ACL 197 provides entries that deny or
> permit
> network traffic for specific address ranges. Unicast RPF is configured on
> interface Ethernet0 to check packets arriving at that interface.
>
> For example, packets with a source address of 192.168.201.10 arriving at
> interface Ethernet0 are dropped because of the deny statement in ACL 197.
> In
> this case, the ACL information is logged (the logging option is turned on
> for the ACL entry) and dropped packets are counted per interface and
> globally. Packets with a source address of 192.168.201.100 arriving at
> interface Ethernet0 are forwarded because of the permit statement in ACL
> 197. ACL information about dropped or suppressed packets is logged
> (logging
> option turned on for the ACL entry) to the log server.
>
> ip cef distributed
>
> !
>
> int eth0/1/1
>
> ip address 192.168.200.1 255.255.255.0
>
> ip verify unicast reverse-path 197
>
> !
>
> int eth0/1/2
>
> ip address 192.168.201.1 255.255.255.0
>
> !
>
> access-list 197 deny ip 192.168.201.0 0.0.0.63 any log-input
>
> access-list 197 permit ip 192.168.201.64 0.0.0.63 any log-input
>
> access-list 197 deny ip 192.168.201.128 0.0.0.63 any log-input
>
> access-list 197 permit ip 192.168.201.192 0.0.0.63 any log-input
>
> access-list 197 deny ip host 0.0.0.0 any log
>
>
>
>
> On 5/17/07, graham@cisco-engineer.com <graham@cisco-engineer.com> wrote:
> >
> > With regards to preventing ip spoofing;
> >
> >
> >
> > Does the:
> >
> > ip verify unicast reverse-path
> >
> > serve the same function as a :
> >
> > Deny ip <inside ip's> <inside mask> any
> >
> >
> >
> > If asked in the lab to prevent spoof attacks on an a subnet from the
> > outside, which is the "most correct" method to use or are both perfectly
> > valid methods
> >
> >
> > _____
> >
> > I am using the free version of SPAMfighter for private users.
> > It has removed 742 spam emails to date.
> > Paying users do not have this message in their emails.
> > Try SPAMfighter <http://www.spamfighter.com/len> for free now!
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: backbone systems: "RE: Storage CCIE"
• Previous message: DWINKWORTH@wi.rr.com: "Re: FRTS and Be - first interval?"
• Maybe in reply to: graham@cisco-engineer.com: "Preventing Spoof Attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:22 ART