IP Source Guard and Deployment Considerations

This is the third article in the layer 2 security series. If you didn’t read the first 2 articles; DHCP Snooping, and Dynamic ARP Inspection, I highly recommend you do as they are all related, specially DHCP Snooping.


IP Spoofing is the process of changing or forging source/originating IP address. An attacker needs to forge his IP address to change his true identity or impersonate other users’ identity.

Why use IP spoofing


Figure: IP Spoofing

When launching a DDoS attack, the attacker does not want anyone to trace it back to him; So, he replaces the source IP address with a different IP address; this new IP address could be a bogus one (just a random IP), or an actual existing user IP address, depending on the type of attack he’s trying to launch.

For example; If the attacker wants to launch a DoS attack (like Smurf or SYN), he will change the source IP address of the packet to any other IP address, and launches the attack.

That way, it will be much harder to trace the attack back to him. But if the attacker needs to launch the attack against a target that’s protected behind a firewall, he has to use an IP address that’s already allowed through that firewall. IP spoofing can also be used in Session Hijacking attacks, as shown in the above figure

IP spoofing and DDoS attacks

IP spoofing is heavily used in DDoS attacks that relies on Botnets, and actually it provides a lot of benefits to the attacker; for example, the target victim will not be able to warn the infected device owners; also, launching multiple attackers from the same IP address will prompt organizations to blacklist these addresses; changing IP addresses each time ensures that attacks will bypass any blacklisting controls.

IP spoofing is essential in DDoS amplification DNS, and NTP attacks, where the attacker spoofs the source IP address to the victims IP address, and exploit public DNS and NTP servers to send a large amount of traffic to the victim whitch consumes all its internet bandwidth. Note: Botnets are malwares distributed and controlled by hackers; they don’t usually cause harm to the infected device; the hacker just uses them to launch DDoS attacks. We will come to that later when we discuss Layer 3, 4 security.  

IP spoofing and layer 7 attacks

IP spoofing is not effective for hiding identities while launching layer 7 (application) attacks; and that’s because for a layer 7 attack to be successful it requires full communication between the attacker and the target; with IP spoofing that’s not possible, as the return traffic (from target to attacker) will never reach the attacker. For example; an attacker that resides in Europe who wants to launch an attack against a target using a spoofed IP address from North America, will never be able to complete the attack because the return traffic from the target will be directed to North America, not Europe. 

IP Source Guard

IP source guard like Dynamic ARP Inspection relies on DHCP Snooping to validate packets entering the switch from untrusted ports. It will match each packet source IP and MAC address to the snooping binding databases, then it will drop and log any packet that doesn’t match. Review the DHCP Snooping article to learn more about that. IP source guard will not inspect traffic coming through trusted interfaces  

IP Source Guard Deployment Considerations:

Make sure which interfaces are trusted and which are not; all interfaces connected to hosts should be marked as untrusted, while interfaces connected to other switches or uplinks should be marked as trusted. IP source guard by itself; will not prevent the attacks, but it will deny an attacker the privilege of hiding his identity while launching attacks against company systems. IP source guard will not protect the organization’s devices from being infected by Botnets; but at least it will prevent them from launching attacks.

Of course, this will be a challenge for mobile devices, because once they are outside of the organization, security controls will not apply to them; there are other methodologies to cover this point, and we will discuss it later when we come to security controls design and architecture. In our next Article we will discuss Port Security, which is one of the most important and widely deployed layer 2 security techniques.

Created by
Orhan Ergun

Orhan Ergun, CCIE/CCDE Trainer, Author of Many Networking Books, Network Design Advisor, and Cisco Champion 2019/2020/2021

He created OrhanErgun.Net 10 years ago and has been serving the IT industry with his renowned and awarded training.

Wrote many books, mostly on Network Design, joined many IETF RFCs, gave Public talks at many Forums, and mentored thousands of his students.  

Today, with his carefully selected instructors, OrhanErgun.Net is providing IT courses to tens of thousands of IT engineers. 

View profile