The following approaches can be used to mitigate IP spoofing attacks:
¦ Use access control lists (ACL) on router interfaces. As traffic comes into a router from
an outside network, an ACL could be used to deny any outside traffic claiming to be
addressed with IP addressing used internally on the local network. Conversely, ACLs
should be used to prevent traffic leaving the local network from participating in a
DDoS attack. Therefore, an ACL could deny any traffic leaving the local network that
claimed to have a source address that was different from the internal network’s IP
address space.
¦ Encrypt traffic between devices (for example, between two routers, or between an end
system and a router) via an IPsec tunnel. In Figure 1-7, notice that the topology is now
protected with an IPsec tunnel. Even though the attacker can still capture packets via
his rogue hub, the captured packets are unreadable, because the traffic is encrypted
inside the IPsec tunnel.
Figure 1-7 Protecting Traffic in a Tunnel
Tidak ada komentar:
Posting Komentar