interesting article :) My approach would be to simply add an acl on E0/0 to deny incoming packets with a source address that is from the destination network... this works well when there are few interfaces, but could become unmanagable on a large router with many interfaces or sub-interfaces.
eg
ip access-list extended stopspoofs
deny ip 192.168.1.0 255.255.255.0 any
permit ip any any # assuming there are no other access list entries required.
interface Ethernet0/0
ip access-group stopspoofs in
other things that are good to block at this point are packets with broadcast, multicast or network address' as the source address.
eg
ip access-list extended stopspoofs
deny ip 192.168.1.0 255.255.255.0 any
permit ip any any # assuming there are no other access list entries required.
interface Ethernet0/0
ip access-group stopspoofs in
other things that are good to block at this point are packets with broadcast, multicast or network address' as the source address.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/infocus/1847/13#13