Preventing Traffic with Spoofed Source IP address Presented by Md. Abdullah Al Naser Sr. Systems Specialist MetroNet Bangladesh Ltd Founder, Founder, mn -LAB info@mn-lab.net

1. Preventing Traffic with
Spoofed Source IP Addresses
Presented by
Md. Abdullah Al Naser
Sr. Systems Specialist
MetroNet Bangladesh Ltd
Founder, mn-LAB
info@mn-lab.net
Network Operational Tutorial

2. Internet Routing Security
The routing system of the Internet is vulnerable to many
security threats such as:
Presented by – Md. Abdullah Al Naser Page # 2

3. Internet Routing Security
The routing system of the Internet is vulnerable to many
security threats such as:
Presented by – Md. Abdullah Al Naser Page # 3

4. Internet Routing Security
Prefix Hijacks
Presented by – Md. Abdullah Al Naser Page # 4

5. Internet Routing Security
Prefix Hijacks
Presented by – Md. Abdullah Al Naser Page # 5
Solution:
Inbound Prefix
Filtering

6. Internet Routing Security
Route Leaks
Presented by – Md. Abdullah Al Naser Page # 6

7. Internet Routing Security
Route Leaks
Presented by – Md. Abdullah Al Naser Page # 7

8. Internet Routing Security
Route Leaks
Presented by – Md. Abdullah Al Naser Page # 8
Solution:
Outbound Prefix
Filtering

9. Internet Routing Security
Control Plane vs Data Plane Security
Control Plane
● Prefix filtering can protect your BGP Table/control plane
● ROA/RPKI can also be used to protect control plane
Data Plane
● But what about if anyone sends packets with spoofed
source IP address?
● Source address validation should be there to deal with
that!!
Presented by – Md. Abdullah Al Naser Page # 9

10. Internet Routing Security
IP Address Spoofing
● IP source address spoofing is the practice of originating
IP datagrams with source addresses other than those
assigned to the host of origin
● Put simply, the host pretends to be some other host
● Normally when your router receives unicast IP packets
it only cares about one thing:
What is the destination IP address of this IP packet so
I can forward it?
Presented by – Md. Abdullah Al Naser Page # 10

11. Internet Routing Security
IP Address Spoofing
Presented by – Md. Abdullah Al Naser Page # 11

12. Internet Routing Security
IP Address Spoofing (Sample Attack)
Presented by – Md. Abdullah Al Naser Page # 12

13. Internet Routing Security
IP Address Spoofing Implications
Spoofing can be exploited in various ways, most notably
to execute a DDoS Reflection-Amplification attack
Presented by – Md. Abdullah Al Naser Page # 13

14. Internet Routing Security
IP Address Spoofing Implications
● DDoS Amplification is achieved by small queries
resulting in much larger responses
● Open DNS resolvers and NTP servers are commonly
used as reflectors/amplifiers
● IP Spoofing can be more destructive if a valid TCP
session is hijacked
Presented by – Md. Abdullah Al Naser Page # 14

15. Internet Routing Security
IP Address Spoofing Implications
● Significant DoS attacks are
costing Service Providers
● These costs hurt the brand,
damage customer operations,
and have collateral
operational/cost impact
on other customers
Presented by – Md. Abdullah Al Naser Page # 15

16. Spoofing Tools
Spoofing Tools
● nping (available in Zenmap and other tools)
● synner
● kali linux (popular to pen testers)
● even IP Spoofing can be done from Windows CMD
Presented by – Md. Abdullah Al Naser Page # 16

17. Anti-Spoofing
Anti-Spoofing
● Implementing anti-spoofing filtering to prevent packets
with incorrect source IP address from entering the
network
● DDoS Reflection-Amplification attacks would be
impossible without spoofing – however, they are
preventable
Presented by – Md. Abdullah Al Naser Page # 17

18. Anti-Spoofing
Anti-Spoofing Techniques
● Access Control Lists
● Dynamic Access Lists
● unicast Reverse Path Forwarding
Presented by – Md. Abdullah Al Naser Page # 18

19. Anti-Spoofing
Anti-Spoofing Considerations
● Identify points/devices in the network topology where
anti-spoofing measures should be applied
● Identify adequate techniques to be used (for example,
uRPF, or ACL filtering)
● Apply configuration commands
● Verify that the protection works, is permanent and is
kept up-to-date
Presented by – Md. Abdullah Al Naser Page # 19

20. Anti-Spoofing
Anti-Spoofing Techniques
To prevent source IP address spoofing, it's recommended
to implement Ingress Filtering methods which include:
ACL, uRPF etc
Presented by – Md. Abdullah Al Naser Page # 20

21. Anti-Spoofing
Anti-Spoofing Techniques - ACL
● ACLs are used to filter traffic at the router's interfaces
● ACLs are configured to allow specific address ranges
and deny all others
● ACLs are commonly deployed on the Provider Edge /
Customer Edge (PE / CE) boundary
● ACLs should be deployed on the downstream interfaces
of the ISP in order to verify the source addresses used
by its customers
Presented by – Md. Abdullah Al Naser Page # 21

22. Anti-Spoofing
Anti-Spoofing Techniques - ACL
Presented by – Md. Abdullah Al Naser Page # 22

23. Anti-Spoofing
Anti-Spoofing Techniques - ACL
ip access-list extended customer1-in-ipv4
permit ip 192.0.2.0 0.0.0.255 any
!
ipv6 access-list customer1-in-ipv6
permit ipv6 2001:db8:1001::/48 any
!
interface gi0/0
ip access-group customer1-in-ipv4 in
ipv6 traffic-filter customer1-in-ipv6 in
Presented by – Md. Abdullah Al Naser Page # 23

24. Anti-Spoofing
Anti-Spoofing Techniques - ACL
firewall {
family inet {
filter customer1-in-ipv4 {
term allowed-sources {
from {
source-address {
192.0.2.0/24;
}
}
then accept;
}
}
}
Presented by – Md. Abdullah Al Naser Page # 24

25. Anti-Spoofing
Anti-Spoofing Techniques - ACL
/ip firewall filter add action=drop chain=forward
comment="spoofed from AS64501“
in-interface=$interface log-prefix="“
src-address=!192.0.2.0/24
/ipv6 firewall filter add action=drop chain=forward
comment="spoofed from AS64501“
in-interface=$interface log-prefix="“
src-address=!2001:db8:1001::/48
Presented by – Md. Abdullah Al Naser Page # 25

26. uRPF
Anti-Spoofing Techniques - uRPF
● uRPF is a security feature that prevents these spoofing
attacks. Whenever your router receives an IP packet it
will check if it has a matching entry in the routing table
for the source IP address. If it doesn’t match, the
packet will be discarded
● uRPF as defined in RFC 3704
● uRPF is often implemented on the edges of the networks
where customers, servers, and/or clients are connected
Presented by – Md. Abdullah Al Naser Page # 26

27. uRPF
Anti-Spoofing Techniques - uRPF
Presented by – Md. Abdullah Al Naser Page # 27

28. uRPF
Anti-Spoofing Techniques - uRPF
Presented by – Md. Abdullah Al Naser Page # 28

29. uRPF
Anti-Spoofing Techniques - uRPF
Presented by – Md. Abdullah Al Naser Page # 29

30. uRPF
There are four modes for uRPF:
● Loose Mode ● Strict Mode
● Feasible Mode ● VRF Mode
● For single-homed stub customers, it's recommended
that uRPF strict mode is implemented
● For dual-homed stub customers, it is best to use uRPF
feasible mode instead
Presented by – Md. Abdullah Al Naser Page # 30

31. uRPF
uRPF Strict Mode
In Strict mode router will perform two checks:
1. Do I have a matching entry for the source in
the routing table?
2. Do I use the same interface to reach this source as
where I received this packet on?
Presented by – Md. Abdullah Al Naser Page # 31

32. uRPF
uRPF Strict Mode
When the incoming IP packets passes both checks, it will be
permitted. Otherwise it will be dropped. This is perfectly fine
for IGP routing protocols since they use the shortest path to the
source of IP packets.
Presented by – Md. Abdullah Al Naser Page # 32

33. uRPF
uRPF Strict Mode
Presented by – Md. Abdullah Al Naser Page # 33

34. uRPF
uRPF Loose Mode
In Loose mode router will perform only single check:
1. Do I have a matching entry for the source in
the routing table?
Presented by – Md. Abdullah Al Naser Page # 34

35. uRPF
uRPF Loose Mode
When it passed this check, the packet is permitted. It doesn’t
matter if we use this interface to reach the source or not.
Loose mode is useful when you are connected to more than
one ISP and you use asymmetric routing.
Presented by – Md. Abdullah Al Naser Page # 35

36. uRPF
Additional Features
● Logging and Exemptions: uRPF allows the usage of an
access-list so you can decide what sources it should check
and if required, log the packets that are dropped using
access-list logging
● Self-pinging: Allow the router to ping itself using uRPF
strict mode on the interface
Presented by – Md. Abdullah Al Naser Page # 36

37. uRPF
Additional Features
● Default route: You can configure uRPF to check source
IP addresses against a default route. You can use this
when you want to accept all packets from your internet
connection while protecting yourself against spoofed
packets with source IP address from your internal
network
Presented by – Md. Abdullah Al Naser Page # 37

38. uRPF
Anti-Spoofing Techniques – uRPF
interface gi0/0
ip verify unicast reachable-via rx
ipv6 verify unicast reachable-via rx
Presented by – Md. Abdullah Al Naser Page # 38

39. uRPF
Anti-Spoofing Techniques – uRPF
family inet {
rpf-check;
}
family inet6 {
rpf-check;
}
Presented by – Md. Abdullah Al Naser Page # 39

40. uRPF
Anti-Spoofing Techniques – uRPF
/ip settings set rp-filter=strict
Presented by – Md. Abdullah Al Naser Page # 40

41. MANRS
Mutually Agreed Norms for Routing Security
● MANRS community is made up of
security-minded network operators
● MANRS care about routing security
● MANRS is prepared to spend resources
on routing security
● MANRS is prepared to be held
accountable by the community
Presented by – Md. Abdullah Al Naser Page # 41
www.manrs.org

42. MANRS
MANRS defines four concrete actions
Presented by – Md. Abdullah Al Naser Page # 42

43. MANRS
Global Validation
In order to facilitate validation of routing information on
a global scale, network operators must publish their
routing information so that other parties can validate it.
Presented by – Md. Abdullah Al Naser Page # 43

44. MANRS
Filtering
In order to prevent propagation of incorrect routing
information, network operators must ensure the
correctness of their own announcements, and
announcements from their customers to adjacent
networks with prefix and AS-path granularity.
Presented by – Md. Abdullah Al Naser Page # 44

45. MANRS
Anti-Spoofing
In order to prevent traffic with spoofed source IP
addresses, network operators must enable source address
validation for at least single-homed stub customer
networks, their own end-users, and infrastructure.
Presented by – Md. Abdullah Al Naser Page # 45

46. MANRS
Coordination
In order to facilitate global operational communication
and coordination between network operators, they must
maintain globally accessible, and up-to-date contact
information.
Presented by – Md. Abdullah Al Naser Page # 46

47. Acknowledgement
● Rene Molenaar
● MANRS
● Cisco Networking Academy
● MikroTik Wiki
Presented by – Md. Abdullah Al Naser Page # 47

48. Keep Internet Secure 
Thank You