Internetworks offers a comprehensive collection of articles and tutorials on computer networks, covering basic to advanced concepts such as data link layer, network layer, network security, and more. It’s a great starting point for beginners and a useful reference for advanced learners. A+ N+ CCNA CCNP CCIE
by Edgar C Francis
In this blog, you see, how to spoof the IP address and how to prevent spoofed IP packets from entering in network. What is unicast reverse path forwarding?
The router uses
Unicast Reverse Path Forwarding also called uRPF check. uRPF is a security feature
to prevent spoofing attacks. As we all know routers normally look for the destination IP in its routing table when forwarding unicast IP packets and
forward the IP packet to the right interface. We and the attacker also know the routers,
so an attacker can spoof the source IP address and send packets. Well, the uRPF
feature checks the incoming source IP packets and looks for matching entries in the
routing table. if the entry is found then the router can forward the packet but if there
is no entry found in the routing table then the router will drop the packet.
Unicast reverse
path forwarding has two modes
Strict mode – in this
mode, the router does two checks, first check the source IP matching entry in the routing
table. second, it checks the interface from where the router receives source IP packets.
Lose mode – in this
mode, the router only checks the matching source IP entry in the routing table.
Let's take the example
of our topology
In this topology where we have an attacker machine IP 192.168.1.10 that is in a different network and the victim PC1 10.1.1.10 is in a different network. The attacker machine is going to send ICMP packets with spoof source IP address 100.100.100.100 to PC1. router 1 will forward this packet because the router will look for the destination and remember we have not configured unicast RPF. router 2 will do the same. PC1 will get an ICMP request and PC1 will reply continuously. To prevent this attack we are going to configure uRPF on router 2 serial 4/0 interface and the spoofed IP packet will not forward.
(before starting this lab. this blog is only for study purposes please do not try this on a real device)
R1(config)#interface serial 4/0 R1(config-if)#ip address 1.1.1.1 255.0.0.0 R1(config-if)#no shutdown R1(config-if)#exit R2(config)#interface serial 4/0 R2(config-if)#ip address 1.1.1.2 255.0.0.0 R2(config-if)#no shutdown R2(config-if)#exit
R2(config)#interface fastethernet 0/0 R2(config-if)#ip address 10.1.1.1 255.0.0.0 R2(config-if)#no shutdown R2(config-if)#exit PC1> ip 10.1.1.10 255.0.0.0 10.1.1.1 Checking for duplicate address... PC1 : 10.1.1.10 255.0.0.0 gateway 10.1.1.1 PC1> show ip NAME : PC1[1] IP/MASK :
10.1.1.10/8 GATEWAY : 10.1.1.1 DNS : MAC :
00:50:79:66:68:00 LPORT : 10019 RHOST:PORT :
127.0.0.1:10020 MTU: : 1500 PC2> ip 10.1.1.20 255.0.0.0 10.1.1.1 Checking for duplicate address... PC1 : 10.1.1.20 255.0.0.0 gateway 10.1.1.1 PC2> show ip NAME : PC2[1] IP/MASK :
10.1.1.20/8 GATEWAY : 10.1.1.1 DNS : MAC :
00:50:79:66:68:01 LPORT : 10021 RHOST:PORT :
127.0.0.1:10022 MTU: : 1500
(Configure IP 192.168.1.10/24 default-gateway 192.168.1.1 on Kali Linux)
R1#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.1.1 YES manual up up Serial4/0 1.1.1.1 YES manual up up
R2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.1 YES manual up up
Serial4/0 1.1.1.2 YES manual up up
(Configure EIGRP on both the routers)
R1(config)#router eigrp 100
R1(config-router)#network 192.168.1.0
R1(config-router)#network 1.0.0.0
R1(config-router)#no auto-summary
R1(config-router)#exit
*Feb 22 13:45:39.083: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 1.1.1.2 (Serial4/0) is up: new adjacency
R2(config)#router eigrp 100
R2(config-router)#network 10.0.0.0
R2(config-router)#network 1.0.0.0
R2(config-router)#no auto-summary
R2(config-router)#exit
R1#show ip route eigrp
D 10.0.0.0/8 [90/2172416] via 1.1.1.2, 00:02:52, Serial4/0
R2#show ip route eigrp
D 192.168.1.0/24 [90/2172416] via 1.1.1.1, 00:03:28, Serial4/0
(Make sure the Attacking machine can ping the 10.0.0.0/8 network)
(PC1 configure Wireshark for capturing packets)
(capture packets)
configure spoof attack change the source IP 192.168.1.10 to 100.100.100.100 send ICMP packets to 10.1.1.10/8
(now you see the screenshot of captured traffic, you see the source IP has been changing spoofed IP 192.168.1.10 to 100.100.100.100 and PC1 continuously replying to the spoofed IP.)
configure strict mode and make sure spoofed packets will be discarded.
R2(config)#interface serial 4/0 R2(config-if)#ip verify unicast source reachable-via ? any Source is reachable via any interface rx Source is reachable via interface on which packet was received R2(config-if)#ip verify unicast source reachable-via rx R2(config-if)#exit
R2(config)#ip cef R2(config)#exit
(Now again we try to attack)
(you notice router 2 discarding spoofed IP packets)
RBAC (Role Based Access Control), is also known as Role-Base security.
RBAC assigns access permission to users on their role in IT. Only the admin has
complete access to the network while the other network engineers do not need full
access, some of them just need to monitor and crosscheck the configuration with
show commands. Admin can define what user can access as per the user roles.
Why do we need RBAC?
RBAC reduces the risk of cybersecurity and protects against human error, RBAC
ensures that admin define users can only access the information and perform actions
they need to do as per the role. RBAC is good for large organizations.
What is the Concept behind Role Based Access Control
Admin creates a set of permissions and assigns that permission to
the user. For example, user-1 is a junior engineer L-1 and the role is just to
monitor interface state. Admin will allow user-1 to only show ip
interface brief command to user-1 and now user-1 only access show ip interface
brief command not show ip route not configure any and delete anything on the
device. Now the security level has been increased because only the admin can
configure and delete the configuration.
What are RBAC Views?
Admin creates the Views and views define the commands that a user
can access. Mainly we have two types of view. Root view is an admin view where
you configure views and superview in
this view admin assigns multiple views (users) in superview. Superview can access
all the commands that the admin configures the views. Remember these views should be
in superview.
(configure the password before configuring any view, if you
configure configure then you can lock yourself )
configure telnet and ensure the computer in our LAN network can access the router.
configure root view and password admin and username admin
configure Parser view user1 and allow ping and show IP int br commands password user1
configure Parser view user2 and allow show IP int br, show IP route, show IP protocol and trace commands only.
configure super view and allow user1 and user2 in superview
ensure computer can access all views
Router-one-(config)#int fa 0/0 Router-one-(config-if)#ip add 192.168.1.1 255.255.255.0 Router-one-(config-if)#no shutdown Router-one-(config-if)#exit
Router-one-(config)#int fa 1/0 Router-one-(config-if)#ip address 10.1.1.1 255.255.255.0 Router-one-(config-if)#no shutdown Router-one-(config-if)#exit
Router-one-(config)#int fa 1/1 Router-one-(config-if)#ip address 192.168.2.1 255.255.255.0 Router-one-(config-if)#no shut Router-one-(config-if)#exit
*Feb 1 22:20:42.979: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up *Feb 1 22:20:43.059: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up *Feb 1 22:20:43.099: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
Telnet and ensure the computer in our LAN network can access the router.
%PARSER-6-VIEW_SWITCH: successfully set to view 'user1'.
Router-one-#show parser view
Current view is 'user1'
Router-one-#show ip route
^
% Invalid input detected at '^' marker.
Router-one-#traceroute 192.168.1.2
^
% Invalid input detected at '^' marker.
(From the above you see user-1 is not able to access show ip route and traceroute command because of admin only two commands to user-1. show ip int br and ping)
Router-one-#show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.1 YES manual up up
FastEthernet1/0 10.1.1.1 YES manual up up
FastEthernet1/1 192.168.2.1 YES manual up up
Router-one-#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/37/56 ms
configure Parser view user2 and allow show IP int br, show IP route, show IP protocol and trace commands only.
Router-one-(config)#parser view user2
Router-one-(config-view)#secret user2
Router-one-(config-view)#command exec in
Router-one-(config-view)#command exec include show ip int br
Router-one-(config-view)#command exec include show ip route
Router-one-(config-view)#command exec include show ip protocol
Router-one-(config-view)#command exec include traceroute
Router-one-(config-view)#command exec include ping
Router-one-#show ip route ^ % Invalid input detected at '^' marker.
Router-one-#show ip int br
Interface IP-Address OK? Method Status Prot ocol FastEthernet0/0 192.168.1.1 YES manual up up FastEthernet1/0 10.1.1.1 YES manual up up FastEthernet1/1 192.168.2.1 YES manual up up
(user-1 allows only two commands ping and show ip int br)