How to protect your network from IP spoofing?

IP address spoofing is a security issue that you should prepare for when deploying a new server. It is a common technique attackers use to throw security analysts off their tracks. These cybercriminals create packets with forged IP addresses either to hide their identity or to willfully impersonate another computing system. This, in turn, enables them to launch DDoS attacks or execute malware. As system administrator, you need to configure your network to filter spoofed traffic at the source.

In this article, we are going to share the information and necessary commands you need to protect servers running Linux® from IP spoofing.

On servers running Linux

The Linux kernel and most network security appliances use reverse path filtering (RPF) to check if a received packet’s source address is routable. RPF has two modes—Strict and Loose.

  • Strict mode – the router confirms whether the source address is reachable through the interface on which the packet is received
  • Loose mode – the router confirms if the source address is reachable via any interface

RPF drops a scanned packet if the mode’s condition is not met.
To enable RPF, input the following command:

  • Strict mode – sysctl -w net.ipv4.conf.all.rp_filter=1
  • Loose mode – sysctl -w net.ipv4.conf.all.rp_filter=2
*Replace “all” with the interface name to enable RPF on that specific interface.
**The maximum value from “conf/{all,interface}/rp_filter” is used when performing source validation on the {interface}.

RFC 3704, a paper on Ingress Filtering for Multi-homed Networks, recommends using the Strict mode to prevent DDoS attacks through spoofed traffic. Loose mode is only recommended to networks with routing configurations that require more permissive filtering.

You can monitor RPF in the Linux system log to see if the rules are violated or if verification is failing. The “log_martians” parameter must be enabled:

sysctl -w net.ipv4.conf.all.log_martians=1

See also How to protect your Windows server from SYN flood?
See our Knowledgebase for more How To articles.

Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.

Comments are closed.