r.fulton at auckland.ac.nz
Wed Feb 9 21:17:47 GMT 2005
On Wed, 2005-02-09 at 14:55 -0500, marchany at vt.edu wrote:
> >Umm... you can deal with spoofed packets from your own network but how
> >can any router under your control know that the source address is
> >spoofed? It can't and nor can your IPS.
> One would hope your netadmins have properly set up the ACL on ALL routers to
> trash spoofed IPs from outside your (sub)net. That restricts the spoofer and
> spoofee to the same subnet. It doesn't prevent spoofing within the subnet but
> at least you've narrowed the suspects down a little.
I am confused.
My understanding (I make no claims to being a network wizard) is that
for any perimeter in the network you can block two types of spoofing.
You can block incoming packets that have source addresses in the inside
of your network and you can block outbound packets that don't have
addresses that are legitimate for your network. And yes, this should be
done anywhere where you have defined perimeters (i.e. just about every
router in any untrusted network).
I don't see how you can filter packets with spoofed *source* addresses
that are generated outside your network unless the addresses are your
The point I was trying to make is that if you have an IPS between you an
the rest of the world (i.e. your outer border) then you have no way of
knowing if any particular packet is from a spoofed source address or not
unless it is part of an established TCP stream. And then there is the
issue of packet insertion which should not be a big risk so long as the
TCP stacks generate reasonable ISNs. I am assuming here that your
border router is filtering incoming packets with source addresses in the
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2201 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050210/5d93e821/smime-0002.bin
More information about the unisog