Configuring IP Spoofing Attack Defense
To obtain the access permission, the attacker sends plenty of attack packets with forged source IP addresses to the target system. For the applications using IP address-based authentication, this attack enables unauthorized users to access the target system (or even with the system user right).
Context
IP spoofing is a common attack type and is the basis of other types of attacks. This is due to the features of IP protocols. IP protocols transmit IP packets according to the destination IP addresses in the IP headers. If the destination IP address of an IP packet is on the same network as the source IP address, the packet is directly sent to the destination IP address. Otherwise, the IP packet is sent to a gateway without checking the source IP address provided by the IP packet. By default, the source IP address of the IP packet is the IP address of the host that sends the packet.
Attackers send packets with forged source IP addresses to the target hosts to cheat more access and control rights out of the hosts. Under these attacks, resources are at risk and information is disclosed.
After IP spoofing attack defense is enabled, the FW checks the FIB table for the source IP addresses of IP packets. If the next egress of an IP packet is not the ingress of the IP packet, the packet is regarded and processed as an IP spoofing attack packet.
Since the attack defense mechanism is based on whether the device is routable to the source IP address, false positive may occur. Therefore, use IP spoofing attack defense with caution.
When the FW works in transparent or multi-egress mode, or the policy-based routing is applied, IP spoofing attack defense cannot be configured.