VII. Router Diagnostics

IP Spoofing Defense Setup Guide

Products:
Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2765
Show all

Keywords:
ARP Accept
ARP Spoofing
IP Spoofing
spoofdef

IP spoofing is a method of creating IP packets with a false source IP address header. This can be used for a website performance testing, simulating users that are accessing an online shop etc. This is also a commonly used method by hackers to impersonate another computing system so that they can send large amount of packets in order to exhaust available resources on the destination machine.

kb ip spoofing 00

IP Spoofing Configuration on DrayTek Routers

There are two methods of configuring IP Spoofing on DrayTek routers (depends on the firmware version your router supports):

Setup on GUI (available since firmware version 3.8.8 or later)

Go to [Firewall] > [Defense Setup] > [Spoofing Defense] page. Under the IP Spoofing Defense section, select the Block IP packet from WAN or LAN option. Set the Log to Enable if you need to see if any actions had to be taken by the router.

kb ip spoofing 01

Telnet command (firmware version 3.8.7 or older)

1. Telnet into Vigor Router

2. Use one of the following commands:

  • To enable Block IP packet from WAN with inconsistent source IP addresses, enter “ip spoofdef WAN 1”. The router should respond with “Setting saved:” message.

kb ip spoofing 02

  • To enable Block IP packet from LAN with inconsistent source IP addresses, enter “ip spoofdef LAN 1”. The router should respond with “Setting saved:” message.

kb ip spoofing 03

How to disable IP Spoofing via Telnet:

  • To disable Block IP packet from WAN with inconsistent source IP addresses, enter “ip spoofdef WAN 0”.

kb ip spoofing 04

  •  To disable Block IP packet from LAN with inconsistent source IP addresses, enter “ip spoofdef LAN 0”.

kb ip spoofing 05

IP Spoofing Log Output:

1. Block IP packet from WAN with inconsistent source IP addresses (Enabled by default)

While receiving packets from WAN, Vigor Router will check if the source IP address and the coming WAN interface is reasonable. If not, Vigor will drop the packets instead of forwarding them to the internal network.

For example, if Vigor’s LAN network IP address is 192.168.1.1 and it receives the packet from WAN with the source IP 192.168.1.100, Vigor will drop the packet and send the defense log like this:
[IP Spoofing Defense]Block packet from WAN with source IP: 192.168.1.100

2. Block IP packet from LAN with inconsistent source IP addresses

When receiving packets from LAN and the option is enabled, Vigor Router will check if the source IP and the coming LAN interface is reasonable. If not, Vigor will drop the packet and display the log similar to this:
[IP Spoofing Defense]Block packet from LAN with source IP: 192.168.239.31

3. ARP Address Mismatch

If your ISP is using a different device to respond to your router's ARP packets, the ARP Address Mismatch output can be produced. You can read more about this here.

Note that IP Spoofing can impact some features where the same IP can be expected on two or more interfaces, e.g. the link aggregation or high availability configuration.