PCI DSS Requirement 1.3.3: Implement Anti-Spoofing Measures

by KirkpatrickPrice / April 18th, 2017

PCI DSS Requirement 1.3.3 requires that organizations, “implement anti-spoofing measures to detect and block forged source IP addresses from entering a network.” Assessors will be looking at your firewall and router configurations to verify that anti-spoofing measures are implemented. There are several types of spoofing attacks, but in general, a spoofing attack is a situation in which “a malicious party impersonates another device or user on a network in order to launch attacks against network hosts, steal data, spread malware, or bypass access controls.”

In other words, PCI Requirement 1.3.3 ensures that your organization implements anti-spoofing rules to prevent attackers from “spoofing” their source address to trick your router into believing that the traffic originated from inside your network, allowing that traffic to pass through.

PCI DSS Requirement 1.3.3

PCI DSS has a requirement that you implement anti-spoofing rules. If you’re not aware of what spoofing is, I would recommend taking an opportunity to spend some time with Google and finding out what a spoofing attack is. But effectively what is happening is an attacker can mimic inbound traffic from the Internet, making it look as though it originated from your internal assets.

As an assessor, what we do is we look to make sure that you’re limiting inbound traffic based on 192, 168, 10.0 network, and 172.16 network. What this will do for you is it prevents someone from spoofing the traffic and making your router believe as though the traffic originated from inside of your network and then passing through.