Inappropriate IP Addresses
Besides smurf and fraggle attacks, added attacks absorb the use of what can be about termed
inappropriate IP addresses, both for the antecedent IP abode and destination IP address. By using
inappropriate IP addresses, the antagonist can abide hidden and arm-twist cooperation of added hosts to
create a advertisement denial-of-service (DDoS) attack.
One of the Layer 3 aegis best practices is to use ACLs to clarify packets whose IP addresses are
not appropriate—for instance, the smurf advance listed a accurate antecedent IP abode of 1.1.1.2, but
packets with that antecedent abode should never access AS1 from the Internet. The Internet Assigned
Numbers Authority (IANA) manages the appointment of IP prefix ranges. It lists the assigned
ranges in a certificate begin at http://www.iana.org/assignments/ipv4-address-space. A router can
then be configured with ACLs that anticipate packets based on accepted assigned ranges and on known
unassigned ranges. For example, in Figure 18-9, an action router should never charge to forward
a packet assimilate the Internet if that packet has a antecedent IP abode from addition company’s registered
IP prefix. In the smurf advance case, such an ACL acclimated at the attacker’s ISP would accept prevented
the aboriginal packet from accepting to AS1.
Routers should additionally clarify packets that use IP addresses that should be advised artificial or
inappropriate. For example, a packet should never accept a advertisement or multicast antecedent IP address
in accustomed use. Also, an action router should never accept a packet from an ISP with that
packet’s antecedent IP abode actuality a clandestine arrangement per RFC 1918. Additionally, that aforementioned router
should not accept packets sourced from IP addresses in ranges currently unallocated by IANA.
These types of IP addresses are frequently alleged bogons, which is a ancestry of the chat bogus.
Creating an ACL to bout these bogon IP addresses is not decidedly difficult, but it does require
a lot of authoritative effort, decidedly to amend it based on changes to IANA’s assigned
prefixes. You can use freeware alleged the Router Audit Tool (RAT) that makes recommendations
for router security, including bogon ACLs. You can additionally use the Cisco IOS AutoSecure feature,
which automatically configures ACLs to anticipate the use of such artificial IP addresses.