IP Spoofing is when an attacker changes the source IP address of packets to hide its true origin. By changing the source address in this manner an attacker might as an example carry out a DoS, Man in the Middle or a Syn-Flooding attack all of which can wreck your network while placing the integrity of your data at risk.
Ingress filtering (outlined on RFC 3704 update to RFC 2827) can be performed using an ACL which checks the source IP address of all incoming packets and drops any IP address that belongs to the IPv4 private IP addresses scheme (outlined in RFC 1918) on the outside interface of the edge router or firewall. Egress is simply the opposite which prevents IPv4 private IP addresses from exiting the network.

Ingress Filtering
Let’s look at an example configuration on a Cisco ASA5505. In this extended ACL we are writing a config that will deny any IPv4 private IP address from entering the network. Why would a packet from a non-routable private IP address be allowed to pass through our interface that is facing the internet? Any traffic arriving to our outside interface will have to be a public IP address therefore by implementing this ACL you will drop all packets a hacker would use to spoof an internal address and initiate an attack on the internal network.

CiscoASA(config)# access-list 101 extended deny ip 192.168.0.0 255.255.0.0 any
CiscoASA(config)# access-list 101 extended deny ip 172.16.0.0 255.240.0.0 any
CiscoASA(config)# access-list 101 extended deny ip 10.0.0.0 255.0.0.0 any

Next let’s block source, broadcast, loopback & reserved addresses schemes that should not be attempting to access your network from the outside.

CiscoASA(config)# access-list 101 extended deny ip 0.0.0.0 255.0.0.0 any
CiscoASA(config)# access-list 101 extended deny ip 255.0.0.0 255.0.0.0 any
CiscoASA(config)# access-list 101 extended deny ip 127.0.0.0 255.0.0.0 any
CiscoASA(config)# access-list 101 extended deny ip 224.0.0.0 240.0.0.0 any
CiscoASA(config)# access-list 101 extended deny ip 240.0.0.0 240.0.0.0 any

Egress Filtering
Egress filtering is simply the opposite and we will filter all RFC 1819 addresses from leaving the network.

CiscoASA(config)# access-list 102 extended deny ip 192.168.0.0 255.255.0.0 any
CiscoASA(config)# access-list 102 extended deny ip 172.16.0.0 255.240.0.0 any
CiscoASA(config)# access-list 102 extended deny ip 10.0.0.0 255.0.0.0 any
CiscoASA(config)# access-list 102 extended deny ip 0.0.0.0 255.0.0.0 any
CiscoASA(config)# access-list 102 extended deny ip 255.0.0.0 255.0.0.0 any
CiscoASA(config)# access-list 102 extended deny ip 127.0.0.0 255.0.0.0 any
CiscoASA(config)# access-list 102 extended deny ip 224.0.0.0 240.0.0.0 any
CiscoASA(config)# access-list 102 extended deny ip 240.0.0.0 240.0.0.0 any

Remember there is always an implicit deny at the end of our ACL’s. For outbound make sure to insert the “permit IP any any” or no traffic will be permitted to leave.

CiscoASA(config)# access-list 102 extended permit ip any any

And finally apply your ACL’s to their respective interfaces:

CiscoASA(config)# access-group 101 in interface outside
CiscoASA(config)# access-group 102 out interface outside

Unicast Reverse Path Forwarding
Additionally we can enhance our level of Spoofing protection by enabling Unicast Reverse Path Forwarding on an interface. By enabling this feature the router / firewall must have a valid route back to the source address or the packet will be dropped.

As per Cisco’s website
“This security feature works by enabling a router to verify the reachability of the source address in packets being forwarded. This capability can limit the appearance of spoofed addresses on a network. If the source IP address is not valid, the packet is discarded. Unicast RPF works in one of three different modes: strict mode, loose mode, or VRF mode” The command to enable this feature:

CiscoASA(config)# ip verify reverse-path interface outside