ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
mustafa_kaiiali
New Member
Posts:
29
Joined:
Tue Apr 16, 2013 7:28 am
Certs:
CCNP Security

IP Spoofing !!

Tue Apr 16, 2013 7:47 am

Hello friends,

I have a doubt about IP Spoofing. How can we disable it?

I know that this can be done by applying the reverse path forwarding (RPF) on the external interface.
But this will disallow the attacker from spoofing my internal ip addresses, however he can still spoof other addresses.

You may suggest using certificate or digital signature or username/password to assure my client identity. But my problem is not in that. To better explain it, I am giving this example scenario:

I have an IPS which can detect synflood attack signature and then decline the attacker ip to prevent him from continuous sending SYN requests to my web server which is gona cause DoS to it. If the attacker was using fixed ip source while sending the synflood, then IPS will be able to prevent this attack. But if the attacker is sending syn requests from randomly generated ip source (one per each syn request) then IPS can detect the attack and will keep declining all the randomly generated ip sources and this will also cause DoS.

But if I succeed in applying anti-(ip spoofing) mechanism on my internet interface, then the attacker can not spoof those random addresses and DoS will fail.

RPF helps me preventing the external attacker from spoofing my internal ip addresses BUT not from spoofing other external IP addresses. Any suggestion for that?

Thanks in advance

User avatar
mellowd
CCIE #38070
Posts:
13814
Joined:
Wed Jun 18, 2008 7:49 am
Certs:
CCIE (RS,SP), JNCIE-SP, BC-/SPNE/NP

Re: IP Spoofing !!

Tue Apr 16, 2013 7:53 am

There is no way for a router to know what a spoofed address is or not. It's just a source address.

mustafa_kaiiali
New Member
Posts:
29
Joined:
Tue Apr 16, 2013 7:28 am
Certs:
CCNP Security

Re: IP Spoofing !!

Tue Apr 16, 2013 7:56 am

mellowd wrote:There is no way for a router to know what a spoofed address is or not. It's just a source address.


Thanks for the reply, I know that router can only detect spoofing if it is happening on its internal ip addresses. Then what is the solution if it is happening on the external ip addresses? How to prevent synflood in this case?

User avatar
mellowd
CCIE #38070
Posts:
13814
Joined:
Wed Jun 18, 2008 7:49 am
Certs:
CCIE (RS,SP), JNCIE-SP, BC-/SPNE/NP

Re: IP Spoofing !!

Tue Apr 16, 2013 8:05 am

If you find a way, you'll make a lot of money as currently if a resource is being DDOSed from multiple spoofed addresses, the only way to stop that is to remove the resource

User avatar
burnyd
Post Whore
Posts:
3159
Joined:
Fri Nov 13, 2009 5:15 pm
Certs:
CCIE R&S/SP,CCNP-SP,JNCIA,VCP510,VCA-DCV

Re: IP Spoofing !!

Tue Apr 16, 2013 8:08 am

Have a ips in the middle of you and your isp. Have your isp use some sort of ddos mitigation between you and them.
http://danielhertzberg.wordpress.com - I blog about networks!

User avatar
ristau5741
Post Whore
Posts:
10504
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: IP Spoofing !!

Tue Apr 16, 2013 8:09 am

implement IP source address verification.
Tips of the day:
- The human mind is the ultimate creation invention.
- I have so many customers, my customers have customers.
- Sausage time
- POP, stack, and store

mustafa_kaiiali
New Member
Posts:
29
Joined:
Tue Apr 16, 2013 7:28 am
Certs:
CCNP Security

Re: IP Spoofing !!

Tue Apr 16, 2013 8:16 am

Thanks all for the reply,
As said by "mellowd" that I can not implement IP source address verification. The IPS is detecting the attack as I said and it is declining it BUT how it can decline it if every-time it is coming from different ip address?

I guess there is no way to encounter that only on IP level. We need to do it on TCP level by implementing TCP intercept
http://www.sans.org/security-resources/ ... _flood.php

Otanx
Post Whore
Posts:
1208
Joined:
Wed Sep 01, 2010 3:37 pm
Certs:
CCNP, CEH

Re: IP Spoofing !!

Tue Apr 16, 2013 9:35 am

TCP Intercept does not stop a DDoS. All it does is move the device attacked to your router instead of the server. If you have TCP Intercept setup with a threshold of say 100. I then send a DDoS attack at a rate of 10,000 per second you will be timing out handshakes before a legitimate host could respond with an ACK.

As mellowd said there is no easy way to prevent this attack except unplugging until it is over, or throwing enough resources at the problem that you can handle the attack, and real traffic at the same time.

-Otanx
Stay networked, my friends.

User avatar
ristau5741
Post Whore
Posts:
10504
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: IP Spoofing !!

Tue Apr 16, 2013 11:00 am

Otanx wrote:no easy way to prevent this attack except unplugging until it is over, or throwing enough resources at the problem that you can handle the attack, and real traffic at the same time.

-Otanx



......or signing up for your ISP's DDoS Mitigation Services (which we do here)
Tips of the day:
- The human mind is the ultimate creation invention.
- I have so many customers, my customers have customers.
- Sausage time
- POP, stack, and store

mustafa_kaiiali
New Member
Posts:
29
Joined:
Tue Apr 16, 2013 7:28 am
Certs:
CCNP Security

Re: IP Spoofing !!

Tue Apr 16, 2013 11:23 am

Otanx .. I 've just read about TCP intercept, so I do not now about it. Thanks for your clarification
ristau .. do u have any idea how exactly the DDoS Mitigation service work? I mean if your server is getting so much SYN requests from different IP addresses, then how it is gona observe the attack and handle it?

mustafa_kaiiali
New Member
Posts:
29
Joined:
Tue Apr 16, 2013 7:28 am
Certs:
CCNP Security

Re: IP Spoofing !!

Tue Apr 16, 2013 11:29 am

Theoretically, I guess the appropriate solution is by using SYNcookies
http://en.wikipedia.org/wiki/SYN_cookies

But how can I apply it practically?

wiz
New Member
Posts:
7
Joined:
Tue Apr 16, 2013 12:54 pm
Certs:
CCNA, CCNA Security

Re: IP Spoofing !!

Tue Apr 16, 2013 3:16 pm

I think a reputation based IPS would be your best way of preventing this.

Otanx
Post Whore
Posts:
1208
Joined:
Wed Sep 01, 2010 3:37 pm
Certs:
CCNP, CEH

Re: IP Spoofing !!

Tue Apr 16, 2013 4:42 pm

ristau5741 wrote:
Otanx wrote:no easy way to prevent this attack except unplugging until it is over, or throwing enough resources at the problem that you can handle the attack, and real traffic at the same time.

-Otanx



......or signing up for your ISP's DDoS Mitigation Services (which we do here)


I had to look these up. Not a lot of information on how they mitigate the attack. From what I can tell they throw bandwidth, and processing power at it on your behalf. Some say they have bad guy lists of IPs, but when spoofing that will not work. I am sure some are doing some kind of packet inspection so if for example all the spoofed packets have the same src-port you can drop those. However, I would consider that a mistake on the attackers part if their packets could be identified as a group. These services probably also run TCP intercept on a big box that can handle more traffic that your systems. This would probably be the easiest, and most successful way of preventing, or limiting an outage from an attack.

SYN cookies looks interesting, and could help, but would have to dig deeper to see if it is useful. The first thing is that while it frees resources up after the SYN it requires more resources to respond. So while you made it harder to cause half open connections to bring down the box you made it easier for a spike in connections per second to take it down.

If you are really paranoid about attacks you could link all these together, RPF, DDoS mitigation service, SYN cookies, etc.

-Otanx
Stay networked, my friends.

mustafa_kaiiali
New Member
Posts:
29
Joined:
Tue Apr 16, 2013 7:28 am
Certs:
CCNP Security

Re: IP Spoofing !!

Wed Apr 17, 2013 12:41 am

Otanx wrote:
ristau5741 wrote:
Otanx wrote:no easy way to prevent this attack except unplugging until it is over, or throwing enough resources at the problem that you can handle the attack, and real traffic at the same time.

-Otanx



......or signing up for your ISP's DDoS Mitigation Services (which we do here)


I had to look these up. Not a lot of information on how they mitigate the attack. From what I can tell they throw bandwidth, and processing power at it on your behalf. Some say they have bad guy lists of IPs, but when spoofing that will not work. I am sure some are doing some kind of packet inspection so if for example all the spoofed packets have the same src-port you can drop those. However, I would consider that a mistake on the attackers part if their packets could be identified as a group. These services probably also run TCP intercept on a big box that can handle more traffic that your systems. This would probably be the easiest, and most successful way of preventing, or limiting an outage from an attack.

SYN cookies looks interesting, and could help, but would have to dig deeper to see if it is useful. The first thing is that while it frees resources up after the SYN it requires more resources to respond. So while you made it harder to cause half open connections to bring down the box you made it easier for a spike in connections per second to take it down.

If you are really paranoid about attacks you could link all these together, RPF, DDoS mitigation service, SYN cookies, etc.

-Otanx


Yes, I do agree with you.
We need now to find out how to implement SYN cookies.
Thanks

User avatar
ristau5741
Post Whore
Posts:
10504
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: IP Spoofing !!

Wed Apr 17, 2013 7:50 am

from the wikipedia page

Code: Select all
TCPCT support was partly merged into the Linux kernel in December 2009, and is included in the 2.6.33 release


so I would think trying to find some Linux based appliance that runs above kernal version or higher would be the only way to implement SYN cookies. if you can't find one, it'd be time to build one.

TCPCT was designed for DNSSEC, so if an appliance supports DNSSEC, it should support TCPCT.
Tips of the day:
- The human mind is the ultimate creation invention.
- I have so many customers, my customers have customers.
- Sausage time
- POP, stack, and store

mustafa_kaiiali
New Member
Posts:
29
Joined:
Tue Apr 16, 2013 7:28 am
Certs:
CCNP Security

Re: IP Spoofing !!

Sat Apr 20, 2013 9:33 am

ristau5741 wrote:from the wikipedia page

Code: Select all
TCPCT support was partly merged into the Linux kernel in December 2009, and is included in the 2.6.33 release


so I would think trying to find some Linux based appliance that runs above kernal version or higher would be the only way to implement SYN cookies. if you can't find one, it'd be time to build one.

TCPCT was designed for DNSSEC, so if an appliance supports DNSSEC, it should support TCPCT.

I am gona try, thanks
Actually I found a lot of material on the web regard that, they are all in Linux, it needs time to investigate

Regards

User avatar
wintermute000
Ultimate Member
Posts:
970
Joined:
Mon Jan 14, 2013 10:40 pm
Certs:
CCNP R&S, CCNP Sec, CCNP Voice, CCDP, SATP

Re: IP Spoofing !!

Sun Apr 21, 2013 4:10 am

To stop a DDOS from unknown internet addresses the best way is to move your web facing hosting behind something like Cloudflare, who basically put a bunch of IPS and secret sauce logically in front of your resources.

Or dive in deep with firewalls and IPSes and do it yourself. Inspection, reputation based blacklisting, threshold based inline denies at a minimum. You won't do as good a job as someone like Cloudflare but you maintain complete control and keep all your traffic local at the price of what is going to be some pretty mean hardware, vendor subscriptions and the complexity/time. I'd also put all your web servers behind load balancers/proxies with some serious grunt who can proxy the worst of the load away from your actual servers. You're going to need some serious firepower to overwhelm say an F5 behind a proper IPS and firewall.

Heck as you're a CCNP Sec you should probably be pretty aware of all this anyway.

mustafa_kaiiali
New Member
Posts:
29
Joined:
Tue Apr 16, 2013 7:28 am
Certs:
CCNP Security

Re: IP Spoofing !!

Sun Apr 21, 2013 5:47 am

wintermute000 wrote:To stop a DDOS from unknown internet addresses the best way is to move your web facing hosting behind something like Cloudflare, who basically put a bunch of IPS and secret sauce logically in front of your resources.

Or dive in deep with firewalls and IPSes and do it yourself. Inspection, reputation based blacklisting, threshold based inline denies at a minimum. You won't do as good a job as someone like Cloudflare but you maintain complete control and keep all your traffic local at the price of what is going to be some pretty mean hardware, vendor subscriptions and the complexity/time. I'd also put all your web servers behind load balancers/proxies with some serious grunt who can proxy the worst of the load away from your actual servers. You're going to need some serious firepower to overwhelm say an F5 behind a proper IPS and firewall.

Heck as you're a CCNP Sec you should probably be pretty aware of all this anyway.


Thanks for your comment, I am gona check Cloudflare.

mustafa_kaiiali
New Member
Posts:
29
Joined:
Tue Apr 16, 2013 7:28 am
Certs:
CCNP Security

Re: IP Spoofing !!

Sun Apr 21, 2013 5:56 am

Regarding SYN_cookies, I have tested it in Cent OS 6.3

It was too easy to implement. We can activate it by just executing the following command:
#sysctl -w net.ipv4.tcp_syncookies=1

To check its current status:
#sysctl net.ipv4.tcp_syncookies

I have issued a synflood attack from BT5 with random source ip address. If I set (net.ipv4.tcp_syncookies=0), the server goes down. If I set (net.ipv4.tcp_syncookies=1) the server remains up and healthy even though the attack is running :)

User avatar
ristau5741
Post Whore
Posts:
10504
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: IP Spoofing !!

Tue Apr 30, 2013 4:28 pm

just as a last note

TCP Intercept - ASA intercetps TCP-SYN and responds with a SYN-ACK and sequence number is set to a cookie
the cookie is an authenticated hash of parts of the TCP header; therfore the appliance
does not neet to keep state information. the legitimite client completes the handshake
by sending an ACK with the acknowledgement numberset to cookie+1 if the cookie is authentic
the security appliance proxies the TCP session to the server


so by this it appears that the state table never fills up.
Tips of the day:
- The human mind is the ultimate creation invention.
- I have so many customers, my customers have customers.
- Sausage time
- POP, stack, and store

'

Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 36 guests