Thursday, September 15, 2016


IP Source Guard & uRPG

IP Spoofing Attack: - Somebody comes on the network and they claimed to be using an ip address that’s not really there, maybe it’s the ip address of a machine that’s authorized to get to a secured server like we see here on picture.

In this example we have an authorized client their ip address is
And as their traffic is going to this secured server, they passing through a router R1,
And Router R1 has an ACL 

              that says “When traffic is coming into this interface from this subnet, I am only going to allow one ip address from the subnet to reach the secured server” and that’s ip address is, But in this case it’s the authorized client that sent the traffic, it does have an ip address of

          And the Router says “All Right! You good to go” and its send the traffic on its way to secured server. Now here what The IP Spoofing attack comes along

              What if we have an attacker, that connect to their laptop to the same subnet of our authorized client, and what if they claimed that their ip address was, The IP address that was authorized to get to the secured server. If they did that, then it seems like they would be able to send traffic to the secured server, going right through that ACL on Router R1. Because they have a permit statement for that ip address
                          Sometime an Attacker launch an ip spoofing attack from the internet. They offside somewhere, and come in and say “This is my source address” But a Router running something like.

            uRPF (unicast Reverse Path Forwarding) can check the source ip address and say “if i were sending traffic back to this ip address, which interface I would use, based on my router ip routing table, and if this traffic came in on router interface, that’s not the same router interface, that’s the router would use to get back to the that ip address, the router is not going to allow that traffic. That’s one way of mitigate an ip spoofing attack. If the attacker is on a different subnet and they claiming be on.

                           In our diagram the attacker is on the same subnet as, even if we were using uRPF on Router R1. It would not prevent this attacker from getting through.
                      But The great news is we can enable a Cisco Switch feature that help us out, it’s called “IP Source Guard”. And this feature works handed hand with DHCP Snooping.

            If you Don’t Know About Click on DHCP Snooping
                      When client makes a DHCP Request and get it ip address information via DHCP.IP Source Guard feature can create a mapping inside of switch to say that “this ip address and even this mac-address resides on this port”. That way if an attacker comes along and claimed to be an ip address then Switch says “Oh! no, you are not, this other ip address is supposed to live of this port” and you claiming to an ip address that lives of a different port, So I am not going to allow your traffic”. This is what IP Source Guard can do for us. And it can check incoming traffic based on just ip address or it could do based on ip address and mac-address.
                   DHCP Snooping feature is what’s gonna be used to dynamically build this mapping table. However, we can go and do it manually, if we want. But most often we use DHCP Snooping to construct this table. And with IP Source Guard enabled, if the attacker attempt to send a packet (in this case to this secured server) that packed does not gonna make it “Truth”, it’s gonna be dropped.

Configuration and Verification
I was mentioning that IP Source Guard typically works handed hand with DHCP Snooping

If you Don’t Know About Click on DHCP Snooping
                         I already got DHCP Snooping configured. Now we turn IP Source Guard. We typically turn IP Source Guard on “Untrusted Port
                        For example, user-facing port, in my example “fast Ethernet 1/0/1” is “Trusted Port” we saying (that interface, that my DHCP Server reside). In this Port we have not any client attached to that port). So we gonna we do is enable IP Source Guard all of “other ports”

Configuration: -

              Ø  Sw1(config)#interface range fastEthernet 1/0/2-24
              Ø  Sw1(config-if-range)#ip verify source
(That’s enable IP Source guard on our interface)

Troubleshooting and Verification Command
              Ø  Sw1(config)#show ip verify source

Conclusion: - When machine first comes up it not gonna able to communicate with the network. The only traffic that gonna be allowed through a port, initially is a DHCP Server traffic that’s allows the client to get this ip address information, as its getting that ip address information, that’s were that mapping table is constructed inside of a switch, and that going to allow IP Source Guard to “Reject” packet that’s don’t match up with that mapping table

        If You Like the Post. Don’t forget to Subscribe/Share/Comment”. Thank You.