TL;DR
IP spoofing is a real threat, but packet filtering (using firewalls and routers) significantly reduces its success rate. While exact statistics are hard to come by due to the nature of attacks being hidden, studies show that well-configured ingress/egress filtering can block up to 90% of spoofed packets. This guide explains how it works and what you need to do.
Understanding IP Spoofing
IP spoofing happens when someone fakes the ‘return address’ (source IP) on internet packets. They pretend to be someone else to hide their identity, launch attacks like DDoS, or gain unauthorised access. It’s a bit like sending a letter with a false return address.
How Packet Filtering Helps
Packet filtering examines the headers of incoming and outgoing network packets. It checks if the source IP address is valid and allowed based on pre-defined rules. This is done by firewalls, routers, and sometimes even your operating system.
Steps to Prevent IP Spoofing with Packet Filtering
- Ingress Filtering: Block packets arriving from addresses that shouldn’t be coming from your network. This is the most important step.
- Most ISPs (Internet Service Providers) now perform ingress filtering as a standard practice, preventing packets with source IP addresses not belonging to their allocated address ranges from entering the internet.
- You can verify this by checking if your ISP supports BCP38 (see Step 4).
- Egress Filtering: Block packets leaving from addresses that shouldn’t be originating from your network.
- Configure your firewall to only allow traffic with source IP addresses belonging to your legitimate address range.
- This prevents internal systems compromised by malware from sending spoofed packets.
- Firewall Configuration (Example using iptables on Linux):
sudo iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT # Allow traffic from your internal networksudo iptables -A INPUT -s ! 192.168.1.0/24 -j DROP # Drop everything else (adjust IP range)Important: Replace ‘192.168.1.0/24’ with your actual internal network address range.
- Check for BCP38 Support from Your ISP:
- BCP38 is a best practice that ISPs should implement to filter spoofed packets.
- You can use online tools or contact your ISP directly to ask if they support it. A simple traceroute can sometimes indicate BCP38 filtering.
traceroute 8.8.8.8If the first hop is *not* within your ISP’s network, it suggests they are not performing proper ingress filtering.
- Router Access Control Lists (ACLs):
- Configure ACLs on your router to explicitly allow or deny traffic based on source IP addresses. This is similar to firewall rules but done at the network level.
- Consult your router’s documentation for specific instructions, as the configuration varies greatly between manufacturers (Cisco, Netgear, etc.).
- Monitor Network Traffic:
- Use tools like Wireshark or tcpdump to analyse network traffic and identify suspicious packets with invalid source IP addresses.
- Regularly review firewall logs for blocked spoofed attempts.
Statistics & Research
While precise numbers are difficult to obtain, here’s what research suggests:
- 90% Reduction: Studies have shown that widespread deployment of ingress filtering (BCP38) can block up to 90% of spoofed packets.
- DDoS Mitigation: Packet filtering is a crucial component in mitigating Distributed Denial-of-Service (DDoS) attacks, many of which rely on IP spoofing.
- Ongoing Threat: Despite improvements, IP spoofing remains a significant cyber security threat, particularly for older protocols like IPv4 where address allocation isn’t as tightly controlled.
Important Considerations
- Packet filtering is not a silver bullet. It’s one layer of defence in a comprehensive cyber security strategy.
- Regularly update your firewall rules and router configurations to address new threats.
- Consider using IPv6, which has built-in mechanisms to prevent IP spoofing more effectively than IPv4.