Security Incidents: Re: spoofed packets to RFC 1918 addresses

[Daniel Polombo <polombo () cartel-securite fr>]

Dirk Koopman wrote:

> a) how the attackers are able to "guess" correct (ie existing) rfc1918
> addresses as, AFAIK, these are not being leaked thru the firewall.  
There are at least two possibilies that spring to mind :

- if you are using a web proxy for your protected network(s), the proxy 
may be adding an X-Forwarded-For field containing the rfc1918 address. 
Other protocols might provide the same kind of information as well.
- in some cases, the firewall may leak information about the protected 
network if there is some DNAT set up (and in particular, the recent 
advisory named "Linux Netfilter NAT/ICMP code information leak" by 
Philippe Biondi).
> b) how these packets are getting to me in the first place as they don't
> seem to be source routed. 
That's the real catch. I think a number ISPs don't filter rfc1918 
addresses within their domains, letting BGP4 make sure they don't get 
routed outside instead. So, theoretically, a spoofed packet could make 
its way to a target not too far away (eg, within the same AS).
I don't know of any automated tools who would do that, but building one 
using antirez's hping, for instance, shouldn't be too hard.
HTH,

  Daniel.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com