Ip Address Spoofing - Dell PowerConnect J-EX4200-24T Software Manual

Dell PowerConnect J-Series Ethernet Switch Complete Software Guide for Junos OS

IP Address Spoofing

How IP Source Guard Works
The IP Source Guard Database
2564
Hosts on access interfaces can spoof source IP addresses and/or source MAC addresses
by flooding the switch with packets containing invalid addresses. Such attacks combined
with other techniques such as TCP SYN flood attacks can result in denial-of-service
(DoS) attacks. With source IP address or source MAC address spoofing, the system
administrator cannot identify the source of the attack. The attacker can spoof addresses
on the same subnet or on a different subnet.
IP source guard checks the IP source address and MAC source address in a packet sent
from a host attached to an untrusted access interface on the switch against entries
stored in the DHCP snooping database. If IP source guard determines that the packet
header contains an invalid source IP address or source MAC address, it ensures that the
switch does not forward the packet—that is, the packet is discarded.
When you configure IP source guard, you enable on it on one or more VLANs. IP source
guard applies its checking rules to packets sent from untrusted access interfaces on
those VLANs. By default, on J-EX Series switches, access interfaces are untrusted and
trunk interfaces are trusted. IP source guard does not check packets that have been sent
to the switch by devices connected to either trunk interfaces or trusted access
interfaces—that is, interfaces configured as
connected to that interface to provide dynamic IP addresses.
IP source guard obtains information about IP-address/MAC-address/VLAN bindings
from the DHCP snooping database. It causes the switch to validate incoming IP packets
against the entries in that database.
After the DHCP snooping database has been populated either through dynamic DHCP
snooping or through configuration of specific static IP address/MAC address bindings,
the IP source guard feature builds its database. It then checks incoming packets from
access interfaces on the VLANs on which it is enabled. If the source IP addresses and
source MAC addresses match the IP source guard binding entries, the switch forwards
the packets to their specified destination addresses. If there are no matches, the switch
discards the packets.
The IP source guard database looks like this:
user@switch> show ip-source-guard
IP source guard information:
Interface Tag IP Address
ge-0/0/12.0 0 10.10.10.7
ge-0/0/13.0 0 10.10.10.9
ge—0/0/13.0 100 *
The IP source guard database table contains the VLANs enabled for IP source guard, the
untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there are any,
dhcp-trusted so that a DHCP server can be
MAC Address VLAN
00:30:48:92:A5:9D vlan100
00:30:48:8D:01:3D vlan100
* voice