RE: [nsp] ip spoofing prevention

From: K.Nathan Casassa (nathan@arteck.com)
Date: Fri Feb 09 2001 - 08:13:38 EST


Eric - There are several different things you can do to reduce the
vulnerability of your network.

Some basic things you want to do is use access-lists to prevent packets with
source addresses other than the network allocated to your customer, and vice
versa by preventing outside packets entering your network with source
addresses of anything inside your network.

configure "no ip directed broadcast" and "no ip source-route" unless you are
required to use these under certain special circumstances

use RPF (Reverse Path Forwarding), but be careful because this can cause
problems if you are doing any type of asymmetrical routing.

CAR (Committed Access Rate) might be useful to restrict the amount of
specific types of traffic such as ICMP...how much ICMP traffic would you
choose to allow on a DS3? Surely not too much I would think, so limiting the
amount of ICMP traffic could reduce the impact.

Try playing with TCP Intercept - pretty cool thing if you ask me. It works
in between the client and server at your router. It connects the two
together if it is a valid TCP connection after "watching it for a moment"
and verifying the source is reachable, but discards bad packets using a
strict method. Be cautious in how you use this so read up on how you want to
enable it, and the mode to use.

There is a bunch of things you can do, these are just what I can think of at
3:00AM!!!

Nathan

  -----Original Message-----
  From: Eric Chan [mailto:bigeric@hknet.com]
  Sent: Friday, February 09, 2001 12:01 AM
  To: cisco-nsp@puck.nether.net
  Subject: [nsp] ip spoofing prevention

  i know we can use tcp intercept to prevent SYN flood
  did anyone know any method to prevent ip spoofing in cisco ios ??

  thanks

  eric



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:28 EDT