1

We had following below iptables rules that exist in our web front-end boxes to prevent IP Spoofing:

-A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
-A INPUT -s 255.0.0.0/8 -j DROP
-A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
-A INPUT -s 0.0.0.0/8 -j DROP

We want to add below rules now to further harden IP Spoofing prevention

 -A INPUT -s 224.0.0.0/3 -j LOG --log-prefix "Spoofed source IP"
 -A INPUT -s 255.0.0.0/8 -j DROP
 -A INPUT –s 169.254.0.0/16 -j LOG --log-prefix "Spoofed source IP"
 -A INPUT -s 169.254.0.0/16 -j DROP
 -A INPUT –s 240.0.0.0/5 -j LOG --log-prefix "Spoofed source IP"
 -A INPUT -s 240.0.0.0/5 -j DROP

Do you suggest adding above rules in a production box running Apache httpd as a reverse proxy? This production box is behind a F5 load balancer.

Also, do we need to enable the below kernel parameters for the above rules to work effectively?

           net.ipv4.conf.all.rp_filter=1
           net.ipv4.conf.all.log_martians=1
           net.ipv4.conf.default.log_martians=1
Zama Ques
  • 443
  • 1
  • 8
  • 24
  • 1
    Did you got hit by such attack ? I ask as many ISP enfore anti spoofing rule now (prevent forged ip from coming out their network) Thus for me now the risk is more botnet attack, that could be stopped more easilly with addon like fail2ban – yagmoth555 Dec 26 '16 at 13:09
  • We are adding these rules as a preventive measure . Will check on fail2ban – Zama Ques Dec 26 '16 at 13:40

2 Answers2

2

The rules you've added are good example of "Cargo cult".

Anti-spoofing measures are to be taken at gateways (routers); gateways are proper devices because they actually have routing information. Servers don't have this info typically. Often servers have just a single channel and default route towards it. If they happened to get a request they should serve it unless they have some ACLs ("those URLs are to be accessed from that IP range only" and so on). OTOH when servers have public and private networks and there's a policy to keep those networks separated, rpfilter can be used to achieve it automatically. Note, that nowadays netfilter has such extension as well, sysctl isn't the only way to implement it.

IP spoofing it often used for DoS attacks. Attackers "inject" initiating packets to network using victim's IP-address as theirs source. Their purpose is to make your server respond sending answers to victim. Your server won't be able to find out if that was a spoofed IP in requests it's getting; it won't be any strange IP like 0.2.3.4 that your firewall rules are filtering out. If your server is getting spoofed requests from Internet, it's generally not the thing you can solve at the "last mile" unless you know exactly it's spoofed and typically you can only know that if your own public IPs are being used as source.

Spoofing itself isn't a matter of "hey, look, they've used 0.2.3.4 source IP in requests, now we're all doomed unless we drop such packets".

poige
  • 9,171
  • 2
  • 24
  • 50
  • **Detecting** is something you're getting **alerts** about consequentially or do at least keep records in regards. What I'm saying is on most of the systems with one network card anti-spoofing measures are pure non-sense. On gateways though with multiple NICs you can do that if needed, but there's also a case of asymmetrical routing — sometimes that won't allow it except for "loose mode" which isn't tight enough often anyways. – poige Jul 28 '19 at 05:01
0

The only issue that i see in this would be that if a request from 240.0.0.0 WAS legit, it would then block it not allowing it to reach the server.

With IP Spoofing, its really difficult to know if it is a spoof or not since one can generate a legit address (speaking as a programmer).

The only option that would be more "safe" would be to only block the specific addresses that are flooding your servers.

xR34P3Rx
  • 197
  • 1
  • 3
  • 15
  • 244.0.0.0 is reserved for future use . As per many docs i read , it was suggested that an IP packet within this range is most likely to be spoofed IP – Zama Ques Dec 26 '16 at 12:13
  • hmm. ok yea, now thinking about it, because IP addresses are divided into classes, it actually should be ok afterall. – xR34P3Rx Dec 26 '16 at 12:22
  • https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=ipv4%20classes anything past class D should be ok to block – xR34P3Rx Dec 26 '16 at 12:23
  • 1
    @xR34P3Rx, "_IP addresses are divided into classes_," classful networking is dead, killed in 1993 by RFCs 1518 and 1519. Please let it rest in peace. Modern networking doesn't use IP classes, only CIDR (_Classless_ Inter-Domain Routing) ranges. See [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml). The `240.0.0.0/4` range is **Reserved**. – Ron Maupin Dec 26 '16 at 14:51
  • well this is new. I dont remember learning this in school. – xR34P3Rx Dec 26 '16 at 17:08