Spoofing and bad address attack tries to fool the server and try to claim that packets had come from local address/network.
Following IP/netwok address are know to open this kind of attack:
Incoming source IP address is your servers IP address
Bad incoming address from following ranges:
- Your own internal server/network ip address/ranges.
Following small shell script tries to prevent this kind of attacks:
#!/bin/bash ¬† INT_IF="eth1" # connected to internet SERVER_IP="22.214.171.124" # server IP LAN_RANGE="192.168.1.0/24" # your LAN IP range ¬† # Add your spoofed IP range/IPs here SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 126.96.36.199/3" ¬† IPT="/sbin/iptables" # path to iptables ¬† # default action, can be DROP or REJECT ACTION="DROP" ¬† # Drop packet that claiming from our own server on WAN port $IPT -A INPUT -i $INT_IF -s $SERVER_IP -j $ACTION $IPT -A OUTPUT -o $INT_IF -s $SERVER_IP -j $ACTION ¬† # Drop packet that claiming from our own internal LAN on WAN port $IPT -A INPUT -i $INT_IF -s $LAN_RANGE -j $ACTION $IPT -A OUTPUT -o $INT_IF -s $LAN_RANGE -j $ACTION ¬† ## Drop all spoofed for ip in $SPOOF_IPS do $IPT -A INPUT -i $INT_IF -s $ip -j $ACTION $IPT -A OUTPUT -o $INT_IF -s $ip -j $ACTION done ## add or call your rest of script below to customize iptables ##
Save and close the file. Call above script from your own iptables script. Add following line to your /etc/sysctl.conf file
The net.ipv4.conf.all.rp_filter=1 entry enables source address verification which is inbuilt into Linux kernel itself and last two lines logs all such spoofed packets in log file.