In this blog, you see, how to spoof the IP address and how to prevent spoofed IP packets from entering in network. What is unicast reverse path forwarding?
The router uses
Unicast Reverse Path Forwarding also called uRPF check. uRPF is a security feature
to prevent spoofing attacks. As we all know routers normally look for the destination IP in its routing table when forwarding unicast IP packets and
forward the IP packet to the right interface. We and the attacker also know the routers,
so an attacker can spoof the source IP address and send packets. Well, the uRPF
feature checks the incoming source IP packets and looks for matching entries in the
routing table. if the entry is found then the router can forward the packet but if there
is no entry found in the routing table then the router will drop the packet.
Unicast reverse
path forwarding has two modes
- Strict mode – in this mode, the router does two checks, first check the source IP matching entry in the routing table. second, it checks the interface from where the router receives source IP packets.
- Lose mode – in this mode, the router only checks the matching source IP entry in the routing table.
Let's take the example
of our topology
- configure the topology as per the diagram
- configure the IP addresses as per the topology
- configure IGP routing and make sure the Attacker can ping the victim's PC
- configure spoof attack change the source IP 192.168.1.10 to 100.100.100.100 send ICMP packets to 10.1.1.10/8
- after successfully attacking the victim configure uRPF on router 2 serial 4/0
- configure strict mode and make sure spoofed packets will be discarded.
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface serial 4/0
R1(config-if)#ip address 1.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
R2(config-if)#ip address 1.1.1.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 10.1.1.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit
Checking for duplicate address...
PC1 : 10.1.1.10 255.0.0.0 gateway 10.1.1.1
IP/MASK : 10.1.1.10/8
GATEWAY : 10.1.1.1
DNS :
MAC : 00:50:79:66:68:00
LPORT : 10019
RHOST:PORT : 127.0.0.1:10020
MTU: : 1500
Checking for duplicate address...
PC1 : 10.1.1.20 255.0.0.0 gateway 10.1.1.1
IP/MASK : 10.1.1.20/8
GATEWAY : 10.1.1.1
DNS :
MAC : 00:50:79:66:68:01
LPORT : 10021
RHOST:PORT : 127.0.0.1:10022
MTU: : 1500
(Configure IP 192.168.1.10/24 default-gateway 192.168.1.1 on Kali Linux)
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.1 YES manual up up
Serial4/0 1.1.1.1 YES manual up up
(Configure EIGRP on both the routers)
(Make sure the Attacking machine can ping the 10.0.0.0/8 network)
(PC1 configure Wireshark for capturing packets)
(capture packets) |
configure spoof attack change the source IP 192.168.1.10 to 100.100.100.100 send ICMP packets to 10.1.1.10/8
(now you see the screenshot of captured traffic, you see the source IP has been changing spoofed IP 192.168.1.10 to 100.100.100.100 and PC1 continuously replying to the spoofed IP.)
configure strict mode and make sure spoofed packets will be discarded.
R2(config-if)#ip verify unicast source reachable-via ?
any Source is reachable via any interface
rx Source is reachable via interface on which packet was received
R2(config-if)#ip verify unicast source reachable-via rx
R2(config-if)#exit
R2(config)#ip cef
R2(config)#exit
No comments:
Post a Comment