Iptables rules to prevent IP Spoofing

ddosiptablesrhel6spoofing

We had following below iptables rules that exist in our web front-end boxes to prevent IP Spoofing:

-A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
-A INPUT -s 255.0.0.0/8 -j DROP
-A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
-A INPUT -s 0.0.0.0/8 -j DROP

We want to add below rules now to further harden IP Spoofing prevention

 -A INPUT -s 224.0.0.0/3 -j LOG --log-prefix "Spoofed source IP"
 -A INPUT -s 255.0.0.0/8 -j DROP
 -A INPUT –s 169.254.0.0/16 -j LOG --log-prefix "Spoofed source IP"
 -A INPUT -s 169.254.0.0/16 -j DROP
 -A INPUT –s 240.0.0.0/5 -j LOG --log-prefix "Spoofed source IP"
 -A INPUT -s 240.0.0.0/5 -j DROP

Do you suggest adding above rules in a production box running Apache httpd as a reverse proxy? This production box is behind a F5 load balancer.

Also, do we need to enable the below kernel parameters for the above rules to work effectively?

           net.ipv4.conf.all.rp_filter=1
           net.ipv4.conf.all.log_martians=1
           net.ipv4.conf.default.log_martians=1

Best Answer

The rules you've added are good example of "Cargo cult".

Anti-spoofing measures are to be taken at gateways (routers); gateways are proper devices because they actually have routing information. Servers don't have this info typically. Often servers have just a single channel and default route towards it. If they happened to get a request they should serve it unless they have some ACLs ("those URLs are to be accessed from that IP range only" and so on). OTOH when servers have public and private networks and there's a policy to keep those networks separated, rpfilter can be used to achieve it automatically. Note, that nowadays netfilter has such extension as well, sysctl isn't the only way to implement it.

IP spoofing it often used for DoS attacks. Attackers "inject" initiating packets to network using victim's IP-address as theirs source. Their purpose is to make your server respond sending answers to victim. Your server won't be able to find out if that was a spoofed IP in requests it's getting; it won't be any strange IP like 0.2.3.4 that your firewall rules are filtering out. If your server is getting spoofed requests from Internet, it's generally not the thing you can solve at the "last mile" unless you know exactly it's spoofed and typically you can only know that if your own public IPs are being used as source.

Spoofing itself isn't a matter of "hey, look, they've used 0.2.3.4 source IP in requests, now we're all doomed unless we drop such packets".

Related Topic