【实验说明】
上一个实验是《使用ACL 来预防IP地址欺骗》,但是配置起来相对复杂,本实验我们将使用URPF(Unicast Reverse Path Forwarding)来轻松实现预防部分IP地址欺骗,URPF的知识请查看《Unicast RPF,单播逆向转发》 文章


 
【实验拓扑】
IOS:c2691-advsecurityk9-mz.124-11.T2.bin

【实验配置步骤】

  • 配置上图网络为 IP service 中的“Common Configuration”
  • 本实验将启用uRPF检查,但配置特定网络免受检查
  • 所有的尝试欺骗都记录日志
  • 在R5上创建Loopback1接口,IP地址为150.1.55.55/24,创建loopback2接口,IP地址为150.1.155.155/24
  • 不通告上面两个loopback地址到路由协议
  • 禁止R4上的BGP,以阻止其接收默认路由
  • 在R4上创建 access-list 100 允许150.1.55.0/24网络. 拒绝其他并记录日志
  • 在R4上外网口(串口)配置uRPF ,使access-list 100 作为uRPF ACL

 
【实验配置】
R5:
interface Loopback1
ip address 150.1.55.55 255.255.255.0

interface Loopback2
ip address 150.1.155.155 255.255.255.0

R4:
no router bgp 1
access-list 100 permit ip 150.1.55.0 0.0.0.255 any
access-list 100 deny ip any any log
!
int s0/1
ip verify unicast reverse-path 100
!
int s0/0.1
ip verify unicast reverse-path 100

【Common Configuration 配置】
R1:
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.4

 
R6:
interface FastEthernet0/0
ip address 10.0.0.6 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.4


R4:
interface Loopback0
ip address 150.1.4.4 255.255.255.0
ip ospf network point-to-point
!
interface FastEthernet0/0
ip address 10.0.0.4 255.255.255.0
!
interface Serial0/0
en fram
no sh
!
interface Serial0/0.1 point-to-point
ip address 155.1.0.4 255.255.255.0
frame-relay interface-dlci 405
!
interface Serial0/1
ip address 155.1.45.4 255.255.255.0
clock rate 2000000
!
router ospf 1
router-id 150.1.4.4
network 150.1.4.4 0.0.0.0 area 0
network 155.1.0.4 0.0.0.0 area 0
network 155.1.45.4 0.0.0.0 area 0
!
router bgp 1
bgp router-id 150.1.4.4
neighbor 150.1.5.5 remote-as 2
neighbor 150.1.5.5 ebgp-multihop 255
neighbor 150.1.5.5 update-source Loopback0


R5:
interface Loopback0
ip address 150.1.5.5 255.255.255.0
ip ospf network point-to-point
!
interface Serial0/0
encapsulation frame-relay
!
interface Serial0/0.1 point-to-point
ip address 155.1.0.5 255.255.255.0
frame-relay interface-dlci 504
!
interface Serial0/1
ip address 155.1.45.5 255.255.255.0
clock rate 2000000
!
router ospf 1
router-id 150.1.5.5
network 150.1.5.5 0.0.0.0 area 0
network 155.1.0.5 0.0.0.0 area 0
network 155.1.45.5 0.0.0.0 area 0
!
router bgp 2
bgp router-id 150.1.5.5
neighbor 150.1.4.4 remote-as 1
neighbor 150.1.4.4 ebgp-multihop 255
neighbor 150.1.4.4 update-source Loopback0
neighbor 150.1.4.4 default-originate

【实验验证】
R5#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

 
Gateway of last resort is not set

 
155.1.0.0/24 is subnetted, 2 subnets
C 155.1.0.0 is directly connected, Serial0/0.1
C 155.1.45.0 is directly connected, Serial0/1
150.1.0.0/24 is subnetted, 4 subnets
C 150.1.155.0 is directly connected, Loopback2
C 150.1.5.0 is directly connected, Loopback0
O 150.1.4.0 [110/65] via 155.1.45.4, 00:18:39, Serial0/1
[110/65] via 155.1.0.4, 00:18:39, Serial0/0.1
C 150.1.55.0 is directly connected, Loopback1


 
R5#ping 150.1.4.4

 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/22/52 ms

R5#ping 150.1.4.4 source loopback1

 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds:
Packet sent with a source address of 150.1.55.55
.....

R4#show ip access-list
*Mar 1 00:17:57.727: %SYS-5-CONFIG_I: Configured from console by console
R4#show ip access
R4#show ip access-lists
Extended IP access list 100
10 permit ip 150.1.55.0 0.0.0.255 any (5 matches)
20 deny ip any any log


 
R4#show ip int s0/0.1
Serial0/0.1 is up, line protocol is up
Internet address is 155.1.0.4/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.5
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
IP verify source reachable-via RX, allow default, ACL 100
0 verification drops
5 suppressed verification drops


 
R5#ping 150.1.4.4 source l2

 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds:
Packet sent with a source address of 150.1.155.155
.....

R4#show ip access 100
Extended IP access list 100
10 permit ip 150.1.55.0 0.0.0.255 any (5 matches)
20 deny ip any any log (5 matches)


 
R4#
*Mar 1 00:24:14.719: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 150.1.155.155 -> 150.1.4.4 (0/0), 4 packets


 
R4#show ip int s0/0.1
Serial0/0.1 is up, line protocol is up
Internet address is 155.1.0.4/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.5
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
IP verify source reachable-via RX, allow default, ACL 100
5 verification drops
5 suppressed verification drops
本文转自zcm8483 51CTO博客,原文链接:http://blog.51cto.com/haolun/991664

使用 URPF 来阻止IP地址欺骗( IP Address Spoofing)相关推荐

  1. IP地址欺骗 IP Spoof

    1.什么是IP spoof? 是一台主机设备冒充另外一台主机的IP地址,与其它设备通信,从而达到某种目的技术. IP spoof的实现原理  我们知道,IP是网络层的一个非面向连接的协议, IP数据包 ...

  2. 使用访问控制列表预防IP地址欺骗(IP Address Spoofing Prevention with ACLs)

    [实验说明] 配置路由器预防IP地址欺骗   [实验拓扑] IOS:c2691-advsecurityk9-mz.124-11.T2.bin [实验配置步骤]   在网关的outside过滤RFC19 ...

  3. MAC泛洪攻击-ARPDOS攻击-ARP Middleman攻击-IP地址欺骗-ICMP DOS 攻击

    项目二 目录 文章目录 一.搭建实验环境: 1. 网络环境架构 2. 实验环境与工具: 3. 搭建两侧的局域网 4. 搭建路由 二.MAC泛洪攻击 1. 实验环境 2. 实验过程 3. 实验分析: 三 ...

  4. 在路由器使用ACL防止IP地址欺骗

    IP地址欺骗对策 ***者经常用来获取网络信息的一种方法是冒充成一个网络中可信的成员.***者欺骗数据包中的源IP地址,然后发往内部网络.***者只需要将数据包中的源IP地址改成一个属于内部子网的地址 ...

  5. 71张图详解IP 地址、IP 路由、分片和重组、三层转发、ARP、ICMP

    目录 有小伙伴问:为什么没有配置 IP 地址就无法上网?IP 协议又是啥? 这要从 TCP/IP 协议说起,互联网使用的是 TCP/IP 协议,其中 IP 协议又是最重要的协议之一.IP 协议是基于  ...

  6. 【计算机网络】网络层 : IPv4 地址 ( IP 地址分类 | 特殊 IP 地址 | 私有 IP 地址 | A 类、B 类、C 类 IP 地址网络号主机号数量 )★

    文章目录 一.IP 地址 发展 二.分类 IP 地址 三.特殊 IP 地址 四.私有 IP 地址 五.分类 IP 地址 网络号 主机数 详情 一.IP 地址 发展 IP 地址 发展 : 第一阶段 : ...

  7. ipv4广播地址怎么填_什么是IP地址?IP地址有什么用?网络工程师来告诉你

    大家好,我是专注于网络技术分享的网络工程师陈锋,今天我们来聊一下IP,IP地址这么简单还有什么可聊的,不要觉得很简单,IP是整个TCP/IP协议族的核心,也是构成互联网的基础. 图片来源于网络 IP地 ...

  8. 【OS】Linux环境下配置固定IP地址--静态IP地址(不能上外网问题)

    [OS]Linux环境下配置固定IP地址--静态IP地址(不能上外网问题) ---red hat重启网卡 service network restart /etc/rc.d/init.d/networ ...

  9. IP地址分类/IP地址10开头和172开头和192开头的区别

    前些天发现了一个巨牛的人工智能学习网站,通俗易懂,风趣幽默,忍不住分享一下给大家.点击跳转到教程. IP地址分类/IP地址10开头和172开头和192开头的区别/判断是否同一网段 简单来说在公司或企业 ...

  10. ip地址简介 ip地址取值0-255 最后一位也可以为0

    IPv4由32位二进制组成,平均分为4段,每段8位,中间用点隔开,用十进制表示,称为点分十进制.(每段的范围都是0-255) 一.IP地址和MAC地址 1.MAC地址 MAC(Media Access ...

最新文章

  1. java面向对象程序设计第三版_JAVA面向对象程序设计之创建型设计模式
  2. Python 字符串操作方法大全
  3. php调用root权限,PHP执行root权限程序
  4. python web开发 CSS基础
  5. 趣学java,编程趣学习app
  6. Linux先发送条件变量,linux 条件变量 浅谈Linux条件变量的使用
  7. mysql 排序取前4,mysql分组取每组前几条记录(排序)
  8. 转载:JS数组reduce()和reduceRight()方法
  9. 某公司机房成功搭建openssh server跳板服务器
  10. Linux嵌入式系统开发之Led开发——应用篇(一)
  11. java遍历hashmapk v_Java HashMap 遍历方式探讨
  12. iOS基础 - UIScrollView
  13. HTML DOM 的nodeType属性
  14. 微信DAT文件转JPG图片(图片恢复)
  15. 原生js和jquery 获取文档高度
  16. LeetCode 592
  17. httpclient3 自动登陆淘宝, 开心网
  18. 紫光服务器管理口装系统,紫光一键重装系统步骤方法
  19. 6,美国2012年总统候选人政治献金数据分析
  20. ICCV 2021 | Transformer结合自监督学习!Facebook开源DINO

热门文章

  1. WPS-设置列的下拉菜单
  2. GeoNet: Deep Geodesic Networks for Point Cloud Analysis
  3. PCIe扫盲——基于WinDriver快速开发PCIe驱动简明教程
  4. 如何自定义MATLAB神经网络激活函数
  5. 计算机控制技术课程简介与资料
  6. oracle自学视频
  7. 网页悬浮按钮php,Javascript实现带关闭按钮的网页漂浮广告代码_javascript技巧
  8. android动画效果 translate,详解Android 动画之TranslateAnimation应用的参数说明
  9. 如何免费去酒吧看球赛并喝扎啤
  10. 64位微型计算机64指技术指标,\\\64位微型计算机\\\中的64,是指下列技术指标中的...