Prevent Spoofing Attacks on Cisco ASA using RPF
A common attack found on TCP/IP networks is IP spoofing. This is usually used for Denial-of-Service, Identity hiding, or even to bypass firewalls or Access-Lists security rules. The spoofing attack works like that:
Lets see the diagram below to clarify the concept of Reverse Path Forwarding:
From the diagram above, an attacker tries to spoof the inside network 192.168.1.0 by using a fake source IP in the packet (fake source IP 192.168.1.1). It sends the packet towards its target host which is 192.168.1.10 (destination address in packet).
On the ASA we have configured RPF on the outside interface as following:
Ciscoasa(config)# ip verify reverse-path interface outside
The ASA will examine the source address of the spoofed inbound packet and will see that source IP 192.168.1.1 belongs to its internal network. A packet with such a source IP should never arrive from the outside interface. Therefore the packet will be dropped. The ASA performs the RPF check by using its routing table. The routing table shows that network 192.168.1.0/24 is towards the inside interface of ASA (assume that we have already configured a static route for this internal network).
- A malicious attacker sends packets towards a target host.
- The attacker disguises itself by inserting a fake source IP into the packet. This fake source IP address in the packet either does not exist at all or it might be a legitimate IP address of some other host located on some other network.
- The reply traffic from the target will never reach the attacker because the attacker’s source address is bogus. Therefore the identity of the attacker remains unknown.
- This can cause resource-exhaustion on the target host because it will create several “incomplete” TCP connections in its memory.
Lets see the diagram below to clarify the concept of Reverse Path Forwarding:
From the diagram above, an attacker tries to spoof the inside network 192.168.1.0 by using a fake source IP in the packet (fake source IP 192.168.1.1). It sends the packet towards its target host which is 192.168.1.10 (destination address in packet).
On the ASA we have configured RPF on the outside interface as following:
Ciscoasa(config)# ip verify reverse-path interface outside
The ASA will examine the source address of the spoofed inbound packet and will see that source IP 192.168.1.1 belongs to its internal network. A packet with such a source IP should never arrive from the outside interface. Therefore the packet will be dropped. The ASA performs the RPF check by using its routing table. The routing table shows that network 192.168.1.0/24 is towards the inside interface of ASA (assume that we have already configured a static route for this internal network).
0 comments:
Post a Comment