How to spoof the IP address? | How to prevent spoofed IP packets from entering in network? | What is unicast reverse path forwarding?

In this blog, you see, how to spoof the IP address and how to prevent spoofed IP packets from entering in network. What is unicast reverse path forwarding? 

The router uses Unicast Reverse Path Forwarding also called uRPF check. uRPF is a security feature to prevent spoofing attacks. As we all know routers normally look for the destination IP in its routing table when forwarding unicast IP packets and forward the IP packet to the right interface. We and the attacker also know the routers, so an attacker can spoof the source IP address and send packets. Well, the uRPF feature checks the incoming source IP packets and looks for matching entries in the routing table. if the entry is found then the router can forward the packet but if there is no entry found in the routing table then the router will drop the packet.

Unicast reverse path forwarding has two modes

1. Strict mode – in this mode, the router does two checks, first check the source IP matching entry in the routing table. second, it checks the interface from where the router receives source IP packets.
2. Lose mode – in this mode, the router only checks the matching source IP entry in the routing table.

Let's take the example of our topology 

In this topology where we have an attacker machine IP 192.168.1.10 that is in a different network and the victim PC1 10.1.1.10 is in a different network. The attacker machine is going to send ICMP packets with spoof source IP address 100.100.100.100  to PC1.  router 1 will forward this packet because the router will look for the destination and remember we have not configured unicast RPF. router 2 will do the same. PC1 will get an ICMP request and PC1 will reply continuously. To prevent this attack we are going to configure uRPF on router 2 serial 4/0 interface and the spoofed IP packet will not forward. 

(before starting this lab. this blog is only for study purposes please do not try this on a real device)

let's see the configuration:- https://youtu.be/wJLfydyH_Nc?si=zHaH6ENmDZSNcj5C

Topology: 

Goal:

• configure  the topology as per the diagram
• configure the IP addresses as per the topology 
• configure IGP routing and make sure the Attacker can ping the victim's PC
• configure spoof attack change the source IP 192.168.1.10 to 100.100.100.100 send ICMP packets to 10.1.1.10/8
• after successfully attacking the victim configure uRPF on router 2 serial 4/0 
• configure strict mode and make sure spoofed packets will be discarded.

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface serial 4/0
R1(config-if)#ip address 1.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
 
R2(config)#interface serial 4/0
R2(config-if)#ip address 1.1.1.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 10.1.1.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit
 
PC1> ip 10.1.1.10 255.0.0.0 10.1.1.1
Checking for duplicate address...
PC1 : 10.1.1.10 255.0.0.0 gateway 10.1.1.1
 
PC1> show ip
 
NAME        : PC1[1]
IP/MASK     : 10.1.1.10/8
GATEWAY     : 10.1.1.1
DNS         :
MAC         : 00:50:79:66:68:00
LPORT       : 10019
RHOST:PORT  : 127.0.0.1:10020
MTU:        : 1500
 
PC2> ip 10.1.1.20 255.0.0.0 10.1.1.1
Checking for duplicate address...
PC1 : 10.1.1.20 255.0.0.0 gateway 10.1.1.1
 
PC2> show ip
 
NAME        : PC2[1]
IP/MASK     : 10.1.1.20/8
GATEWAY     : 10.1.1.1
DNS         :
MAC         : 00:50:79:66:68:01
LPORT       : 10021
RHOST:PORT  : 127.0.0.1:10022
MTU:        : 1500

 (Configure IP 192.168.1.10/24 default-gateway 192.168.1.1 on Kali Linux)

R1#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.1     YES manual up                    up
Serial4/0                  1.1.1.1         YES manual up                    up

R2#show ip interface brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            10.1.1.1        YES manual up                    up

Serial4/0                  1.1.1.2         YES manual up                    up

(Configure EIGRP on both the routers)

R1(config)#router eigrp 100

R1(config-router)#network 192.168.1.0

R1(config-router)#network 1.0.0.0

R1(config-router)#no auto-summary

R1(config-router)#exit

*Feb 22 13:45:39.083: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 1.1.1.2 (Serial4/0) is up: new adjacency

R2(config)#router eigrp 100

R2(config-router)#network 10.0.0.0

R2(config-router)#network 1.0.0.0

R2(config-router)#no auto-summary

R2(config-router)#exit

R1#show ip route eigrp

D    10.0.0.0/8 [90/2172416] via 1.1.1.2, 00:02:52, Serial4/0

R2#show ip route eigrp

D    192.168.1.0/24 [90/2172416] via 1.1.1.1, 00:03:28, Serial4/0

(Make sure the Attacking machine can ping the 10.0.0.0/8 network)

(PC1 configure Wireshark for capturing packets)

(capture packets)

configure spoof attack change the source IP 192.168.1.10 to 100.100.100.100 send ICMP packets to 10.1.1.10/8

(now you see the screenshot of captured traffic, you see the source IP has been changing spoofed IP 192.168.1.10 to 100.100.100.100 and PC1 continuously replying to the spoofed IP.)

configure strict mode and make sure spoofed packets will be discarded.

R2(config)#interface serial 4/0
R2(config-if)#ip verify unicast source reachable-via ?
  any  Source is reachable via any interface
  rx   Source is reachable via interface on which packet was received
R2(config-if)#ip verify unicast source reachable-via rx
R2(config-if)#exit

R2(config)#ip cef
R2(config)#exit

(Now again we try to attack)

(you notice router 2 discarding spoofed IP packets)

R2#show ip interface serial 4/0 | include drops

   30 verification drops

   0 suppressed verification drops

R2#show ip interface serial 4/0 | include verify

  IP verify source reachable-via RX