vaheeD khoshnouD

Spoofing and bad address attack tries to fool the server and try to claim that packets had come from local address/network.

Following IP/netwok address are know to open this kind of attack:

Incoming source IP address is your servers IP address

Bad incoming address from following ranges:
=> 0.0.0.0/8
=> 127.0.0.0/8
=> 10.0.0.0/8
=> 172.16.0.0/12
=> 192.168.0.0/16
=> 192.168.0.0/16
=> 224.0.0.0/3 etc
=> Your own internal server/network ip address/ranges.

Following small shell script tries to prevent this kind of attack:

#!/bin/bash

INT_IF="eth1" # connected to internet 
SERVER_IP="202.54.10.20" # server IP
LAN_RANGE="192.168.1.0/24" # your LAN IP range 

# Add your IP range/IPs here,  
SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3"

IPT="/sbin/iptables" # path to iptables

# default action, can be DROP or REJECT 
ACTION="DROP"

# Drop packet that claiming from our own server
$IPT -A INPUT -i $INT_IF -s $SERVER_IP -j $ACTION
$IPT -A OUTPUT -o $INT_IF -s $SERVER_IP -j $ACTION

# Drop packet that claiming from our own internal LAN
$IPT -A INPUT -i $INT_IF -s $LAN_RANGE -j $ACTION
$IPT -A OUTPUT -o $INT_IF -s $LAN_RANGE -j $ACTION

for ip in $SPOOF_IPS
do
 $IPT -A INPUT -i $INT_IF -s $ip -j $ACTION
 $IPT -A OUTPUT -o $INT_IF -s $ip -j $ACTION
done

Save and close the file. Call above script from your own iptables script. Add following line to your /etc/sysctl.conf
net.ipv4.conf.all.rp_filter = 1
This entry enables source address verification which is inbuilt into Linux kernel itself.