Subject: 16. How can I protect against IP spoofing attacks?

> Here is an augmented version of my "IP Spoofing" filter for an
> Ascend Pipeline 50 ISDN <-> Ethernet router. Since I am a novice at this
> game, I decided to see what other vendor's filters look like. So far, I
> have only examined Livingston's filters. In their filters, I discovered
> that they use a different output filter than I originally published. I
> believe that their filter tries to defeat a "bounceback" packet. I am
> defining a bounceback packet as one that, because of its destination
> address, will be immediately routed back to your network. I have added
> it to my filter scheme.
>
> My filter scheme tries to implement the following policy (this is
> for my 16 IP address subnet):
>
> On input:
> deny packets from the outside that claim to be from the inside.
> (deny from xxx.xxx.xxx.xxx/28)
> Allow everything that isn't spoofing us.
> Implicit deny all other packets.
>
> On output:
> deny "bounceback" packets
> (deny to xxx.xxx.xxx.xxx/28
> allow packets that come from us. <- Truth in Packet Addressing!
> (allow from xxx.xxx.xxx.xxx/28)
> Implicit deny all other packets.
>
> The truth in packet addressing filter is not strictly needed (the
> CERT approved Livingston filters don't do it) but I think that it is
> useful in limiting the degrees of freedom that a hacker might have if
> he set up shop on my subnet. I don't want my subnet to be a source of
> spoofing attacks.
>
> I would appreciate any feedback on this spoofing policy and code.
> And since I am a novice, a "this looks OK to me" comment is especially
> desired. Of course, a go back to the drawing board comment is also
> appreciated.
>
> After loading into your PL50 please edit the addresses and masks to meet
> your needs. The mask is currently: 255.255.255.240 and the address is my
> subnet:199.183.109.224. These addresses occur in In Filter 01 and in Out
> Filters 01 & 02.
>
> ---- Begin Included Ascend PL50 Filter Profile ----

START=FILT=200=3
Name=IP_Spoofing
In filter 01...Valid=Yes
In filter 01...Type=IP
In filter 01...Generic...Length=65535
In filter 01...Generic...Mask=c7b76de000000000
In filter 01...Generic...More=
In filter 01...Ip...Src Mask=255.255.255.240
In filter 01...Ip...Src Adrs=199.183.109.224
In filter 02...Valid=Yes
In filter 02...Generic...Forward=Yes
In filter 02...Ip...Forward=Yes
Out filter 01...Valid=Yes
Out filter 01...Type=IP
Out filter 01...Generic...Mask=00000000fffffff0
Out filter 01...Generic...Value=c7b76de000000000
Out filter 01...Ip...Dst Mask=255.255.255.240
Out filter 01...Ip...Dst Adrs=199.183.109.224
Out filter 02...Valid=Yes
Out filter 02...Type=IP
Out filter 02...Generic...Forward=Yes
Out filter 02...Generic...Length=65535
Out filter 02...Generic...Mask=c7b76de000000000
Out filter 02...Generic...More=
Out filter 02...Ip...Forward=Yes
Out filter 02...Ip...Src Mask=255.255.255.240
Out filter 02...Ip...Src Adrs=199.183.109.224
END=FILT=200=3
END DOWNLOAD