1.3.4 Implement anti-spoofing
measures to detect and block forged
source IP addresses from entering the
(For example, block traffic originating
from the Internet with an internal
1.3.4 Examine firewall and router configurations to verify that
anti-spoofing measures are implemented, for example internal
addresses cannot pass from the Internet into the DMZ.
Normally a packet contains the IP address of the
computer that originally sent it so other computers
in the network know where the packet came from.
Malicious individuals will often try to spoof (or
imitate) the sending IP address so that the target
system believes the packet is from a trusted
Filtering packets coming into the network helps to,
among other things, ensure packets are not
“spoofed” to look like they are coming from an
organization’s own internal network.