Antispoofing measures should be taken at every point in the network where practical, but they are usually
easiest to implement and most effective at the borders among large address blocks or among domains of
network administration.
Apply antispoofing controls described in RFC 2827, "Network Ingress Filtering: Defeating Denial of Service
Attacks Which Employ IP Source Address Spoofing," and in Best Current Practices (BCP 38). The RFC dictates
that no IP packets should be sent out to the Internet with a source address other than the addresses that have
been allocated to your network.
Note
RFC 2827 obsoletes RFC 2267.
In summary, the antispoofing implementation is used to
Deny incoming packets if source address is allocated to your network
Deny outbound packets if source address is not allocated to your network
Antispoofing with Access Lists
Unfortunately, there is no simple list of commands to provide as a template to configure antispoofing access
lists, because networks vary and configuration depends on the network boundaries and address space
allocations. However, the basic objective is to drop packets that arrive on interfaces that are not viable paths
from the supposed source addresses of those packets.
Pages:
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368