This is the third article in the layer 2 security series. If you didn’t read the first 2 articles; DHCP Snooping, and Dynamic ARP Inspection, I highly recommend you do as they are all related, specially DHCP Snooping.
Background
IP Spoofing is the process of changing or forging source/originating IP address. An attacker needs to forge his IP address to change his true identity or impersonate other users’ identity.
Why use IP spoofing
Figure: IP Spoofing
For example; If the attacker wants to launch a DoS attack (like Smurf or SYN), he will change the source IP address of the packet to any other IP address, and launches the attack.
That way, it will be much harder to trace the attack back to him. But if the attacker needs to launch the attack against a target that’s protected behind a firewall, he has to use an IP address that’s already allowed through that firewall. IP spoofing can also be used in Session Hijacking attacks, as shown in the above figure
IP spoofing and DDoS attacks
IP spoofing is heavily used in DDoS attacks that relies on Botnets, and actually it provides a lot of benefits to the attacker; for example, the target victim will not be able to warn the infected device owners; also, launching multiple attackers from the same IP address will prompt organizations to blacklist these addresses; changing IP addresses each time ensures that attacks will bypass any blacklisting controls.
IP spoofing is essential in DDoS amplification DNS, and NTP attacks, where the attacker spoofs the source IP address to the victims IP address, and exploit public DNS and NTP servers to send a large amount of traffic to the victim whitch consumes all its internet bandwidth. Note: Botnets are malwares distributed and controlled by hackers; they don’t usually cause harm to the infected device; the hacker just uses them to launch DDoS attacks. We will come to that later when we discuss Layer 3, 4 security.
IP spoofing and layer 7 attacks
IP spoofing is not effective for hiding identities while launching layer 7 (application) attacks; and that’s because for a layer 7 attack to be successful it requires full communication between the attacker and the target; with IP spoofing that’s not possible, as the return traffic (from target to attacker) will never reach the attacker.
For example; an attacker that resides in Europe who wants to launch an attack against a target using a spoofed IP address from North America, will never be able to complete the attack because the return traffic from the target will be directed to North America, not Europe.
IP Source Guard
IP source guard like Dynamic ARP Inspection relies on DHCP Snooping to validate packets entering the switch from untrusted ports. It will match each packet source IP and MAC address to the snooping binding databases, then it will drop and log any packet that doesn’t match. Review the DHCP Snooping article to learn more about that. IP source guard will not inspect traffic coming through trusted interfaces
IP Source Guard Deployment Considerations:
Make sure which interfaces are trusted and which are not; all interfaces connected to hosts should be marked as untrusted, while interfaces connected to other switches or uplinks should be marked as trusted. IP source guard by itself; will not prevent the attacks, but it will deny an attacker the privilege of hiding his identity while launching attacks against company systems. IP source guard will not protect the organization’s devices from being infected by Botnets; but at least it will prevent them from launching attacks.Of course, this will be a challenge for mobile devices, because once they are outside of the organization, security controls will not apply to them; there are other methodologies to cover this point, and we will discuss it later when we come to security controls design and architecture. In our next Article we will discuss Port Security, which is one of the most important and widely deployed layer 2 security techniques.