Dealing with Spoofed packet

Is there a way to drop an incoming packet that is using a spoofed IP source address (it imitates that it comes from specific IP) ???


In IPS mode, Suricata has the ability to drop packets so it’s possible there. See 6.1. Rules Format — Suricata 6.0.4 documentation for some info on how to write such a rule. A simple rule might be drop ip any -> any any (msg:"Drop all traffic from"; sid: 11111;)

In IDS mode, Suricata receives a copy of the traffic and operates in “offline” or “passive” mode. Suricata does not have the ability to shape traffic in IDS mode.

Hi Jeff,

Thanks for your quick reply.

One more thing, I don’t want to drop all packets from a specific address.
Please see attached topology.

I am spoofing this IP (2001:db8:0:1::2) and sending the crafted packet to AFTR ens34 interface.
Is it possible that my IPS to conduct a deep inspection at AFTR machine to figure out that this packet has a spoofed source IP ?
If I drop all packets coming from (2001:db8:0:1::2), it means that legitimate traffic (from B4 machine) will also be blocked.


How will you determine that the IP has been spoofed? Can that logic be encoded into a rule?

That is what I am trying to figure out, :slight_smile:

How do you ensure it’s not spoofed? What would be your indicator for the legitimate one?

What is the point of an IDS then? if I have to do it all by myself ?.

There are several ways to spoof and some won’t be covered unless you have some sort of baseline.
For example a whitelist of identifiers.

You can also try to look into rulesets if they already provide some detection. The IDS itself relies a lot on them, although itself already discovers some specific malformed/invalid traffic.