Prevention Techniques
How to prevent your network from being the source of the attack:
Apply filters to each customer network
Allow only those packets with source addresses within the customer’s assigned netblocks to enter your network
Apply filters to your upstreams
Allow only those packets with source addresses within your netblocks to exit your network, to protect others
Deny those packets with source addresses within your netblocks from coming into your network, to protect your network
This removes the possibility of your network being used as an attack source for many attacks which rely on anonymity
Notes:
- Filter customers’ networks so that they can only send traffic to you which fits within their network blocks. For example, if you have assigned a customer a network block of 172.16.15.0 with netmask 255.255.255.0, the following Cisco ACL would keep them from sending source-spoofed packets, as well as log attempts through your network, when applied to the customer’s incoming interface:
access-list 101 permit ip 172.16.15.0 0.0.0.255 anyaccess-list 101 deny ip any any loginterface Serial1 ! Or the customer’s incoming interface ip access-group 101 in
(Adjust ‘101’ to your access-list numbering scheme)
- Protect your network from receiving packets from external connections with source addresses that should come from internal machines. For instance, if you have been assigned the network block of 192.168.1.0 with netmask 255.255.255.0 from your upstream, use the following Cisco ACL:
access-list 199 deny ip 192.168.1.0 0.0.0.255 anyaccess-list 199 permit ip any anyinterface Serial0 ! Our internet gateway’s interface to the Internet ip access-group 199 in
- Protect others by ensuring packets you send out into external networks are only those from your addresses. For instance, following the second example above, we would ensure that only packets with source addresses of 192.168.1.x could exit our network:
access-list 198 permit ip 192.168.1.0 0.0.0.255 anyaccess-list 198 deny ip any anyinterface Serial0 ! Our internet gateway’s interface to the Internet ip access-group 198 out