Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Preventing Traffic with Spoofed Source IP address

69 views

Published on

Preventing Traffic with Spoofed Source IP address
Presented by
Md. Abdullah Al Naser
Sr. Systems Specialist
MetroNet Bangladesh Ltd
Founder, Founder, mn -LAB
info@mn-lab.net

Published in: Internet
  • Be the first to comment

Preventing Traffic with Spoofed Source IP address

  1. 1. Preventing Traffic with Spoofed Source IP Addresses Presented by Md. Abdullah Al Naser Sr. Systems Specialist MetroNet Bangladesh Ltd Founder, mn-LAB info@mn-lab.net Network Operational Tutorial
  2. 2. Internet Routing Security The routing system of the Internet is vulnerable to many security threats such as: Presented by – Md. Abdullah Al Naser Page # 2
  3. 3. Internet Routing Security The routing system of the Internet is vulnerable to many security threats such as: Presented by – Md. Abdullah Al Naser Page # 3
  4. 4. Internet Routing Security Prefix Hijacks Presented by – Md. Abdullah Al Naser Page # 4
  5. 5. Internet Routing Security Prefix Hijacks Presented by – Md. Abdullah Al Naser Page # 5 Solution: Inbound Prefix Filtering
  6. 6. Internet Routing Security Route Leaks Presented by – Md. Abdullah Al Naser Page # 6
  7. 7. Internet Routing Security Route Leaks Presented by – Md. Abdullah Al Naser Page # 7
  8. 8. Internet Routing Security Route Leaks Presented by – Md. Abdullah Al Naser Page # 8 Solution: Outbound Prefix Filtering
  9. 9. Internet Routing Security Control Plane vs Data Plane Security Control Plane ● Prefix filtering can protect your BGP Table/control plane ● ROA/RPKI can also be used to protect control plane Data Plane ● But what about if anyone sends packets with spoofed source IP address? ● Source address validation should be there to deal with that!! Presented by – Md. Abdullah Al Naser Page # 9
  10. 10. Internet Routing Security IP Address Spoofing ● IP source address spoofing is the practice of originating IP datagrams with source addresses other than those assigned to the host of origin ● Put simply, the host pretends to be some other host ● Normally when your router receives unicast IP packets it only cares about one thing: What is the destination IP address of this IP packet so I can forward it? Presented by – Md. Abdullah Al Naser Page # 10
  11. 11. Internet Routing Security IP Address Spoofing Presented by – Md. Abdullah Al Naser Page # 11
  12. 12. Internet Routing Security IP Address Spoofing (Sample Attack) Presented by – Md. Abdullah Al Naser Page # 12
  13. 13. Internet Routing Security IP Address Spoofing Implications Spoofing can be exploited in various ways, most notably to execute a DDoS Reflection-Amplification attack Presented by – Md. Abdullah Al Naser Page # 13
  14. 14. Internet Routing Security IP Address Spoofing Implications ● DDoS Amplification is achieved by small queries resulting in much larger responses ● Open DNS resolvers and NTP servers are commonly used as reflectors/amplifiers ● IP Spoofing can be more destructive if a valid TCP session is hijacked Presented by – Md. Abdullah Al Naser Page # 14
  15. 15. Internet Routing Security IP Address Spoofing Implications ● Significant DoS attacks are costing Service Providers ● These costs hurt the brand, damage customer operations, and have collateral operational/cost impact on other customers Presented by – Md. Abdullah Al Naser Page # 15
  16. 16. Spoofing Tools Spoofing Tools ● nping (available in Zenmap and other tools) ● synner ● kali linux (popular to pen testers) ● even IP Spoofing can be done from Windows CMD Presented by – Md. Abdullah Al Naser Page # 16
  17. 17. Anti-Spoofing Anti-Spoofing ● Implementing anti-spoofing filtering to prevent packets with incorrect source IP address from entering the network ● DDoS Reflection-Amplification attacks would be impossible without spoofing – however, they are preventable Presented by – Md. Abdullah Al Naser Page # 17
  18. 18. Anti-Spoofing Anti-Spoofing Techniques ● Access Control Lists ● Dynamic Access Lists ● unicast Reverse Path Forwarding Presented by – Md. Abdullah Al Naser Page # 18
  19. 19. Anti-Spoofing Anti-Spoofing Considerations ● Identify points/devices in the network topology where anti-spoofing measures should be applied ● Identify adequate techniques to be used (for example, uRPF, or ACL filtering) ● Apply configuration commands ● Verify that the protection works, is permanent and is kept up-to-date Presented by – Md. Abdullah Al Naser Page # 19
  20. 20. Anti-Spoofing Anti-Spoofing Techniques To prevent source IP address spoofing, it's recommended to implement Ingress Filtering methods which include: ACL, uRPF etc Presented by – Md. Abdullah Al Naser Page # 20
  21. 21. Anti-Spoofing Anti-Spoofing Techniques - ACL ● ACLs are used to filter traffic at the router's interfaces ● ACLs are configured to allow specific address ranges and deny all others ● ACLs are commonly deployed on the Provider Edge / Customer Edge (PE / CE) boundary ● ACLs should be deployed on the downstream interfaces of the ISP in order to verify the source addresses used by its customers Presented by – Md. Abdullah Al Naser Page # 21
  22. 22. Anti-Spoofing Anti-Spoofing Techniques - ACL Presented by – Md. Abdullah Al Naser Page # 22
  23. 23. Anti-Spoofing Anti-Spoofing Techniques - ACL ip access-list extended customer1-in-ipv4 permit ip 192.0.2.0 0.0.0.255 any ! ipv6 access-list customer1-in-ipv6 permit ipv6 2001:db8:1001::/48 any ! interface gi0/0 ip access-group customer1-in-ipv4 in ipv6 traffic-filter customer1-in-ipv6 in Presented by – Md. Abdullah Al Naser Page # 23
  24. 24. Anti-Spoofing Anti-Spoofing Techniques - ACL firewall { family inet { filter customer1-in-ipv4 { term allowed-sources { from { source-address { 192.0.2.0/24; } } then accept; } } } Presented by – Md. Abdullah Al Naser Page # 24
  25. 25. Anti-Spoofing Anti-Spoofing Techniques - ACL /ip firewall filter add action=drop chain=forward comment="spoofed from AS64501“ in-interface=$interface log-prefix="“ src-address=!192.0.2.0/24 /ipv6 firewall filter add action=drop chain=forward comment="spoofed from AS64501“ in-interface=$interface log-prefix="“ src-address=!2001:db8:1001::/48 Presented by – Md. Abdullah Al Naser Page # 25
  26. 26. uRPF Anti-Spoofing Techniques - uRPF ● uRPF is a security feature that prevents these spoofing attacks. Whenever your router receives an IP packet it will check if it has a matching entry in the routing table for the source IP address. If it doesn’t match, the packet will be discarded ● uRPF as defined in RFC 3704 ● uRPF is often implemented on the edges of the networks where customers, servers, and/or clients are connected Presented by – Md. Abdullah Al Naser Page # 26
  27. 27. uRPF Anti-Spoofing Techniques - uRPF Presented by – Md. Abdullah Al Naser Page # 27
  28. 28. uRPF Anti-Spoofing Techniques - uRPF Presented by – Md. Abdullah Al Naser Page # 28
  29. 29. uRPF Anti-Spoofing Techniques - uRPF Presented by – Md. Abdullah Al Naser Page # 29
  30. 30. uRPF There are four modes for uRPF: ● Loose Mode ● Strict Mode ● Feasible Mode ● VRF Mode ● For single-homed stub customers, it's recommended that uRPF strict mode is implemented ● For dual-homed stub customers, it is best to use uRPF feasible mode instead Presented by – Md. Abdullah Al Naser Page # 30
  31. 31. uRPF uRPF Strict Mode In Strict mode router will perform two checks: 1. Do I have a matching entry for the source in the routing table? 2. Do I use the same interface to reach this source as where I received this packet on? Presented by – Md. Abdullah Al Naser Page # 31
  32. 32. uRPF uRPF Strict Mode When the incoming IP packets passes both checks, it will be permitted. Otherwise it will be dropped. This is perfectly fine for IGP routing protocols since they use the shortest path to the source of IP packets. Presented by – Md. Abdullah Al Naser Page # 32
  33. 33. uRPF uRPF Strict Mode Presented by – Md. Abdullah Al Naser Page # 33
  34. 34. uRPF uRPF Loose Mode In Loose mode router will perform only single check: 1. Do I have a matching entry for the source in the routing table? Presented by – Md. Abdullah Al Naser Page # 34
  35. 35. uRPF uRPF Loose Mode When it passed this check, the packet is permitted. It doesn’t matter if we use this interface to reach the source or not. Loose mode is useful when you are connected to more than one ISP and you use asymmetric routing. Presented by – Md. Abdullah Al Naser Page # 35
  36. 36. uRPF Additional Features ● Logging and Exemptions: uRPF allows the usage of an access-list so you can decide what sources it should check and if required, log the packets that are dropped using access-list logging ● Self-pinging: Allow the router to ping itself using uRPF strict mode on the interface Presented by – Md. Abdullah Al Naser Page # 36
  37. 37. uRPF Additional Features ● Default route: You can configure uRPF to check source IP addresses against a default route. You can use this when you want to accept all packets from your internet connection while protecting yourself against spoofed packets with source IP address from your internal network Presented by – Md. Abdullah Al Naser Page # 37
  38. 38. uRPF Anti-Spoofing Techniques – uRPF interface gi0/0 ip verify unicast reachable-via rx ipv6 verify unicast reachable-via rx Presented by – Md. Abdullah Al Naser Page # 38
  39. 39. uRPF Anti-Spoofing Techniques – uRPF family inet { rpf-check; } family inet6 { rpf-check; } Presented by – Md. Abdullah Al Naser Page # 39
  40. 40. uRPF Anti-Spoofing Techniques – uRPF /ip settings set rp-filter=strict Presented by – Md. Abdullah Al Naser Page # 40
  41. 41. MANRS Mutually Agreed Norms for Routing Security ● MANRS community is made up of security-minded network operators ● MANRS care about routing security ● MANRS is prepared to spend resources on routing security ● MANRS is prepared to be held accountable by the community Presented by – Md. Abdullah Al Naser Page # 41 www.manrs.org
  42. 42. MANRS MANRS defines four concrete actions Presented by – Md. Abdullah Al Naser Page # 42
  43. 43. MANRS Global Validation In order to facilitate validation of routing information on a global scale, network operators must publish their routing information so that other parties can validate it. Presented by – Md. Abdullah Al Naser Page # 43
  44. 44. MANRS Filtering In order to prevent propagation of incorrect routing information, network operators must ensure the correctness of their own announcements, and announcements from their customers to adjacent networks with prefix and AS-path granularity. Presented by – Md. Abdullah Al Naser Page # 44
  45. 45. MANRS Anti-Spoofing In order to prevent traffic with spoofed source IP addresses, network operators must enable source address validation for at least single-homed stub customer networks, their own end-users, and infrastructure. Presented by – Md. Abdullah Al Naser Page # 45
  46. 46. MANRS Coordination In order to facilitate global operational communication and coordination between network operators, they must maintain globally accessible, and up-to-date contact information. Presented by – Md. Abdullah Al Naser Page # 46
  47. 47. Acknowledgement ● Rene Molenaar ● MANRS ● Cisco Networking Academy ● MikroTik Wiki Presented by – Md. Abdullah Al Naser Page # 47
  48. 48. Keep Internet Secure  Thank You

×