لطفا منتظر باشید ...
Foundation Topics
Mitigating IP Spoofing Attacks
Measures for mitigating IP spoofing attacks should be built into the defenses of both the enterprise network and the service provider. Although IP spoofing attacks cannot be completely eliminated, the threat they present can be reduced through access control and RFC 2827 filtering.IP spoofing can function correctly only when devices use an IP addressbased trust model for authentication, which permits or denies access to a host based on the IP address of the client. Additional authentication methods, such as cryptographic authentication or a strong two-factor authentication method using one-time passwords (OTPs), handily defeat IP spoofing attacks.
Access Control
The most effective means of mitigating IP spoofing is to properly configure access control. Denying access to any traffic that originates from an external network that claims to have a source address from the internal network reduces the effectiveness of IP spoofing. However, this method is truly effective only if the internal addresses are the only trusted addresses. This method is ineffective if external addresses, even a small set of them, are considered trusted.
RFC 2827 Filtering
As discussed in Chapter 8, RFC 2827 calls for filtering at the edge of the ISP network where customer networks connect. Traffic should be filtered at the edge by restricting traffic to only those prefixes that are assigned to the customer. Service provider customers can implement egress filters according to the RFC 2827 guidelines as an additional filter to prevent their networks from becoming a source of DoS attacks. For example, in Figure 9-1, the ISP has assigned customer A the range 192.168.100.0/24 and customer B the range 192.168.101.0/24.
Figure 9-1. RFC 2827 Filtering
