思科设置技巧之严防IP地址欺骗攻击
欢迎进入网络技术社区论坛,与200万技术人员互动交流 >>进入 本文主要面向思科路由器用户具体的介绍了如何防止遭受IP地址欺骗攻击,那么我们在使用中如何进行操作,下面的文章将给予你详细介绍。 互联网充满着各种安全威胁,其中之一就是IP地址欺骗。IP欺骗技
欢迎进入网络技术社区论坛,与200万技术人员互动交流 >>进入
本文主要面向思科路由器用户具体的介绍了如何防止遭受IP地址欺骗攻击,那么我们在使用中如何进行操作,下面的文章将给予你详细介绍。
互联网充满着各种安全威胁,其中之一就是IP地址欺骗。IP欺骗技术就是伪造某台主机的IP地址的技术。通过IP地址的伪装使得某台主机能够伪装另外的一台主机,而这台主机往往具有某种特权或者被另外的主机所信任。互联网操作系统(IOS)是思科特有的核心软件数据包,主要在思科路由器和交换机上实现,特别是可用它配置Cisco路由器硬件,令其将信息从一个网络路由或桥接至另一个网络。可以毫不客气地说,I0S是思科路由器产品的动力之源。那么怎样利用思科IOS防止IP欺骗呢?
阻止IP地址
防止IP欺骗的第一步就是阻止能造成风险的IP地址。虽然攻击者可以欺骗任何IP地址,最常被欺骗的IP地址是私有IP地址(请参考RFC1918)和其它类型的共享/特别的IP地址。
例如,笔者就阻止如下的IP地址(后面紧跟着其子网掩码)从Internet访问本机:
?10.0.0.0(255.0.0.0)
?172.16.0.0(255.240.0.0)
?192.168.0.0(255.255.0.0)
?127.0.0.0(255.0.0.0)
?224.0.0.0(224.0.0.0)
?169.254.0.0(255.255.0.0)
以上所列示的是私有的在互联网上不可路由的IP地址,抑或是用于其它目的的IP地址,因此不应出现在互联网上。如果来自互联网的通信以其中某个IP地址为源地址,必定是欺骗性的通信。
此外,其它常被欺骗的IP地址是那些你的组织使用的任何内部IP地址。如果你正使用全部的私有IP地址,那你的范围就应该属于以上所列示的IP地址。然而,如果你正使用自己的公有IP地址范围,你就应该将其加入到以上列表中。
实施访问控制列表(ACL)
最简单的防止欺骗的方法就是对所有的互联网通信使用一个进入过滤器。进入过滤器会丢弃源地址为以上所列地址的任何数据包。换句话说,就是创建一个ACL(access control list),使之丢弃所有进入的网络的源地址为上述列表中IP地址的数据包。
下面是一个配置的例子:
1.Router# conf t
2.Enter configuration commands, one per line. End with CNTL/Z.
3.Router(config)# ip access-list ext ingress-antispoof
4.Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any
5.Router(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any
6.Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any
7.Router(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any
8.Router(config-ext-nacl)# deny ip 224.0.0.0 31.255.255.255 any
9.Router(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any
10.Router(config-ext-nacl)# permit ip any any
11.Router(config-ext-nacl)# exit
12.Router(config)#int s0/0
13.Router(config-if)#ip access-group ingress-antispoof in
互联网服务供应商(ISP)必须在其网络中使用这样的过滤,这一点是在RFC 2267中定义的。注意此ACL操作中包含“permit ip any any”。在现实世界中,你可能会在路由器中有一个正式的防火墙,用以保护内部LAN。 当然,你可以将此方法用于过滤所有进入本机所在子网的、来自网络内部其它子网的数据包,以确保不在某子网内的任何人不会将欺骗性的数据通信传到其它网络。你也可以实施一个“转出ACL”来防止内部网络从其它网络实施IP地址欺骗。不过,请记住,这仅是你全局网络安全策略的一个局部而已。
使用反向路径转发(IP验证)
另一个保护网络免受IP地址欺骗的方法是反向路径转发(RPF),即IP验证。在思科的IOS中,用于反向路径转发(RPF)的命令是以“ip verify”开始的。
RPF在工作起来就象一个反垃圾邮件解决方案的部分功能一样,该功能部分收到进入的电子邮件消息,找到源电子邮件的源地址,然后到发送服务器上执行一个检查操作,确定发送者是否真的存在于发送消息的服务器上。如果发送者不存在,服务器就丢弃此电子邮件消息,因为它极有可能是一个垃圾邮件。
RPF对数据包作出相似的操作。它取出所收到的来自互联网的某个数据包的源地址,查看在路由器的路由表中是否存在一个路由可以应答此数据包。如果路由表中没有路由来作为返回给源IP地址的数据包的应答,那么就是有人发送了欺骗性数据包,路由器就丢弃这个数据包。
下面展示怎样在路由器中配置反向地址转发:
1.Router(config)# ip cef
2.Router(config)# int serial0/0
3.Router(config-if)# ip verify unicast reverse-path
保护私有网络免受攻击者的侵害是极端重要的。我们在这里介绍的三个方法将对你保护网络免受IP地址欺骗起到重要的作用。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to set the scheduled time for publishing works on Douyin? How does it set the video duration?
Mar 27, 2024 pm 06:11 PM
Publishing works on Douyin can attract more attention and likes, but sometimes it may be difficult for us to publish works in real time. In this case, we can use Douyin's scheduled release function. Douyin’s scheduled release function allows users to automatically publish works at a scheduled time, which can better plan the release plan and increase the exposure and influence of the work. 1. How to set the scheduled time for publishing works on Douyin? To set a scheduled release time, first go to Douyin's personal homepage, find the "+" button in the upper right corner, and click to enter the release page. There is a clock icon in the lower right corner of the publishing page. Click to enter the scheduled publishing interface. In the interface, you can choose the type of work you want to publish, including short videos, long videos, and live broadcasts. Next, you need to set a time for your work to be published. TikTok provides
Where is the Douyin tag set? How can it be tagged so that it can be pushed accurately?
Mar 27, 2024 am 11:01 AM
As one of the most popular short video platforms in the world, Douyin allows everyone to become a creator and share every moment of life. For Douyin users, tags are a very important function. It can help users better classify and retrieve content, and also allows the platform to push appropriate content to users more accurately. So, where are the Douyin tags set? This article will explain in detail how to set up and use tags on Douyin. 1. Where is the Douyin tag set? Using tags on Douyin can help users better classify and label their works, making it easier for other users to find and follow them. The method to set the label is as follows: 1. Open the Douyin APP and log in to your account. 2. Click the "+" sign at the bottom of the screen and select the "Publish" button. 3.
Win11 Tips Sharing: Skip Microsoft Account Login with One Trick
Mar 27, 2024 pm 02:57 PM
Win11 Tips Sharing: One trick to skip Microsoft account login Windows 11 is the latest operating system launched by Microsoft, with a new design style and many practical functions. However, for some users, having to log in to their Microsoft account every time they boot up the system can be a bit annoying. If you are one of them, you might as well try the following tips, which will allow you to skip logging in with a Microsoft account and enter the desktop interface directly. First, we need to create a local account in the system to log in instead of a Microsoft account. The advantage of doing this is
Do Not Disturb Mode Not Working in iPhone: Fix
Apr 24, 2024 pm 04:50 PM
Even answering calls in Do Not Disturb mode can be a very annoying experience. As the name suggests, Do Not Disturb mode turns off all incoming call notifications and alerts from emails, messages, etc. You can follow these solution sets to fix it. Fix 1 – Enable Focus Mode Enable focus mode on your phone. Step 1 – Swipe down from the top to access Control Center. Step 2 – Next, enable “Focus Mode” on your phone. Focus Mode enables Do Not Disturb mode on your phone. It won't cause any incoming call alerts to appear on your phone. Fix 2 – Change Focus Mode Settings If there are some issues in the focus mode settings, you should fix them. Step 1 – Open your iPhone settings window. Step 2 – Next, turn on the Focus mode settings
How to set the watermark in the middle on Weibo_How to set the watermark in the middle on Weibo
Mar 29, 2024 pm 03:31 PM
1. First enter Weibo, then click on me in the lower right corner and select [Customer Service]. 2. Then enter [Watermark] in the search box and select [Set Weibo Image Watermark]. 3. Then click [Link] in the interface. 4. Then click [Image Watermark Settings] in the newly opened window. 5. Finally, check [Picture Center] and click [Save].
How to set up scheduled publishing on Weibo_Tutorial on how to set up scheduled publishing on Weibo
Mar 29, 2024 pm 03:51 PM
1. Open the Weibo client, click the three little dots on the editing page, and then click Scheduled Post. 2. After clicking on scheduled posting, there will be a time option on the right side of the publishing time. Set the time, edit the article, and click on the yellow words in the lower right corner to schedule posting. 3. The mobile version of Weibo does not currently support scheduled publishing. This function can only be used on the PC client!
Where to set Douyin recommendations and selections
Mar 27, 2024 pm 05:06 PM
Where are the recommendations and selections on Douyin? In Douyin short videos, there are two categories: selection and recommendation. Most users don’t know how to set up recommendations and selections. Next is the Douyin tutorial that the editor brings to users. Audio recommendations and selected setting method tutorials, interested users come and take a look! Douyin usage tutorial Where to set up Douyin recommendations and selections 1. First open the Douyin short video APP and enter the main page, click on the [Me] area in the lower right corner and select [three horizontal lines] in the upper right corner; 2. Then on the right The function bar will expand, slide the page to select [Settings] at the bottom; 3. Then on the settings function page, find the [Personal Information Management] service; 4. Finally jump to the personal information management page, slide [Personalized Content Recommendations] 】The buttons on the back can be set.
How to set the countdown to grab tickets in Damai
Apr 01, 2024 pm 07:01 PM
When buying tickets on Damai.com, in order to ensure that the ticket purchase time can be accurately grasped, users can set a floating clock to grab tickets. The detailed setting method is below, let us learn together. How to bind the floating clock to Damai 1. Click to open the floating clock app on your phone to enter the interface, and click on the location where the flash sale check is set, as shown in the figure below: 2. After coming to the page of adding new records, click on Damai.com Copy the ticket purchase link page copied in. 3. Next, set the flash sale time and notification time below, turn on the switch button behind [Save to Calendar], and click [Save] below. 4. Click to turn on [Countdown], as shown in the figure below: 5. When the reminder time comes, click the [Start Picture-in-Picture] button below. 6. When the ticket purchase time comes
