Antispoofing

Cisco ASA contains several features to enhance the ability of the network to be self-defending. One example of these features is the ability for the ASA to implement an antispoofing function. Antispoofing helps to protect an interface of the ASA by verifying that the source of network traffic is valid.

The antispoofing feature protects an individual interface from IP address spoofing by creating filters to confirm both source address and route integrity. The antispoofing feature creates an ip verify reverse-path command-line interface (CLI) command. The antispoofing feature verifies route integrity by performing a route lookup on the source address of an incoming packet. This packet is dropped if a route does not exist back to the source address or if the route does not match the interface of the incoming packet. The inability to have a route back to the source address for an interface is considered to be suspect for a denial-of-service (DoS) attack because many attacks use IP spoofing to disguise the true source IP address of the attacker.

Figure 3-2 displays an example of where to enable antispoofing on an interface by selecting the interface and selecting the Enable button under Antispoofing in ASDM. This antispoofing feature is also called Unicast Reverse Path Forwarding (uRPF).

Figure 3-2. Antispoofing/uRPF Configuration