old-www/LDP/LG/issue46/pollman/ip_spoofing.html

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   <meta name="Author" content="JC Pollman">
   <meta name="GENERATOR" content="Mozilla/4.61 [en] (X11; I; Linux 2.2.11 i686) [Netscape]">
</head>
<body bgcolor=#ffffff>

<center><b><font size=+1>IP Spoofing</font></b></center>

<p>The best information comes straight from the<a href="http://metalab.unc.edu/pub/Linux/docs/howto/IPCHAINS-HOWTO">
IP Chains How To</a>:
<p>IP spoofing is a technique where a host sends out packets which claim
to be from another host.&nbsp; Since packet filtering makes decisions based
on this source address, IP spoofing is used to fool packet filters. It
is also used to hide the identity of attackers using SYN attacks, Teardrop,
Ping of Death and the like (don't worry if you don't know what they are).
<p>The best way to protect from IP spoofing is called Source Address Verification,
and it is done by the routing code, and not firewalling at all.&nbsp; Look
for a file called rp_filter by doing this:
<p><i><font color="#FF0000">&nbsp;&nbsp;&nbsp; </font><font color="#330000">ls
-l /proc/sys/net/ipv4/conf/all/rp_filter [Enter]</font></i>
<p>If this exists, then turning on Source Address Verification at every
boot is the right solution for you.&nbsp; To do that, insert the following
lines in your <font color="#330000">init script (for Redhat based distributions
use /etc/rc.d/rc.sysinit script)</font>:&nbsp; <font color="#330000">immediately</font>
after /proc is mounted:
<br>&nbsp;
<p><tt># This is the best method: turn on Source Address Verification and
get</tt>
<br><tt># spoof protection on all current and future interfaces.</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if [ -e /proc/sys/net/ipv4/conf/all/rp_filter
]; then</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; echo -n "Setting
up IP spoofing protection..."</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
echo 1 > $f</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; done</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; echo "done."</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; else</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; echo PROBLEMS
SETTING UP IP SPOOFING PROTECTION.&nbsp; BE WORRIED.</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; echo "CONTROL-D
will exit from this shell and continue system startup."</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; echo</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # Start a single
user shell on the console</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /sbin/sulogin
$CONSOLE</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; fi</tt>
<p>If you cannot do this, you can manually insert rules to protect every
interface.&nbsp; This requires knowledge of each interface.&nbsp; The 2.1
kernels automatically reject packets claiming to come from the 127.* addresses
(reserved for the local loopback interface, lo).
</body>
</html>