[TABS_R id=6984]
Examine the following access list:
Which statement is NOT designed to prevent IP spoofing attacks from packets that appear to be sourced from inside the network, but are actually sourced from outside the network?
- access-list 110 deny ip 10.0.0.0 0.255.255.255 any
- access-list 110 deny ip 172.16.0.0 0.15.255.255 any
- access-list 110 deny ip 192.168.0.0 0.0.255.255 any
- access-list 110 deny ip 208.0.0.0 0.255.255.255 any
Explanation:
Infrastructure access control lists are designed to prevent spoofing attacks from packets that appear to be sourced from inside the network when they are in fact sourced from outside the network. There are two groups of address that should be blocked at the edge of the network:
The private address space, which are called RFC 1918 addresses
Certain “special use addresses” as defined in RFC 3330
The address 208.0.0.0 0.255.255.255 falls into neither of those categories.
The RFC 1918 addresses that should be blocked are:
10.0.0.0/24
172.16.0.0/16
192.168.0.0/16
The RFC 3330 addresses that should be blocked are:
0.0.0.0
127.0.0.0/8
192.0.2.0/24
224.0.0.0/4
For more information about these special use addresses, see RFC 3330.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify router security features
[TABS_R id=6984]