Restrict source-spoofed packets with Cisco filters

David Simmons
October 5, 1997

THE MASK OF THE ATTACKER

The latest malicious fad in the Internet underworld is the launching of "denial-of-service" attacks against Internet hosts. Many times, these attacks take the form of a high-bandwidth bombardment of meaningless data that consumes the victim's CPU and Internet link. Because such a bombardment usually hurts the source as much as the victim, an attacker will usually launch the attack from a random network that he has gained unauthorized access to.

To make matters worse, attackers are now using programs which manipulate raw sockets on the source host to transmit IP packets with the source address "spoofed" to an inappropriate address. When the offensive packets arrive at the victim host, it is difficult to tell where on the Internet the attack originates from, because the source address is inaccurate.

If the packet bombardment takes the form of "pings" (ICMP echo requests), and the source addresses are spoofed to be the address of a third host, then the third host suffers from an indirect attack from the ICMP echo replies generated by the primary victim.

Source address spoofing can also be used in an attempt to gain unauthorized access to a host; some old authentication mechanisms can be fooled into thinking that the attacker is originating from a trusted host.

FILTERING BY SOURCE ADDRESS

The most effective solution to this problem is for internet providers to take precautions against their network, or any of their client networks, being used to launch such attacks. A Cisco router can be programmed to filter packets marked with invalid source addresses.

For example, if you wish to filter source-spoofed packets from an Ethernet interface which contains a Class C network of 192.168.42.0, you would enter the following access-list definition into the Cisco's configuration, assuming you don't already have access-list 100 defined:

access-list 100 permit ip 192.168.42.0 0.0.0.255 any
access-list 100 deny   ip any any

In the configuration for the ethernet interface, you would enter the following to invoke that access-list for incoming packets:

ip access-group 100 in

It is also possible to filter other forms of traffic that could represent denial-of-service attacks, such as UDP "echo" packets.

REFERENCES

CERT Advisory CA-95:01
"IP Spoofing Attacks and Hijacked Terminal Connections"
Denial of Service
A "tech tips" document from CERT.

David Simmons
send mail