Case 2 使用RPF防止IP欺骗的实例:0 {- n8 _. s/ V7 f/ k) l: L
!: Q% U2 v& U( d! M+ o
ip cef9 k. ^) n1 r& \3 ?, N# D2 w: T+ n
!
2 \7 v2 Z, A& V! I2 [! o interface Ethernet0/0
W" K* w- Q$ Z ip address 192.168.200.1 255.255.255.0
1 u6 ^6 t0 ~! J. \: L: n1 o+ e ip verify unicast reverse-path 197
0 E9 G0 G7 f$ O" P4 I !9 j, ]8 C% k9 z5 I8 E
access-list 197 deny ip 10.0.0.0 0.255.255.255 any log-input
/ J$ \$ s: _ Z1 U8 s access-list 197 deny ip 127.0.0.0 0.255.255.255 any log-input9 l" x* u+ C. d
access-list 197 deny ip 169.254.0.0 0.0.255.255 any log-input" a: Y! Q ?6 `. K. ^; s* ~% I$ M9 n
access-list 197 deny ip 192.168.0.0 0.0.255.255 any log-input: @0 X$ r1 u5 {( Q3 k. Z' j7 |
access-list 197 deny ip 224.0.0.0 31.255.255.255 any log-input
& F9 u$ Y9 J0 U4 j6 R6 d2 Z access-list 197 permit ip any any v% s! x% B( y% Z- W- F+ K# q
!3 P& M+ F) N4 Q$ J c+ E
Configuring DNS Spoofing0 ^0 {. x8 a5 w9 D
配置DNS欺骗的步骤如下:& P) `! t2 A0 U
1.关闭DNS查询:
! M: f( {0 @" g( D Aiko(config)#no ip domain-lookup, r: g% h/ Q% M; P0 U
2.激活路由器做为DNS服务器:
! \! u( {% i2 I$ g Aiko(config)#ip dns server
5 L0 M# R3 b: P& R& s; j 3.启用DNS欺骗,让路由器做为代理对DNS查询做出应答.默认的应答范围是所有主机,可以设置具体的IP地址来限制DNS查询应答的范围:7 `( F! l. X* A t. j4 U, u% ~
Aiko(config)#ip dns spoofing [ip-address]
/ G' \4 U8 {* P. M r3 z" m7 s3 g4 L2 W4 {4 L! q4 i
Configuring IP Accounting |