|
Security Incidents
mailing list archives
Re: spoofed packets to RFC 1918 addresses
From: Barry Irwin <bvi () itouchlabs com>
Date: Fri, 28 Jun 2002 05:37:32 +0200
Hiall
sadly in my experiance very few ISP's implement any kind of ingress
filtering, hoting centers in particular are rife with rfc1918 addresses
connecting all over the place, but I have even seen this on dialup lines.
If there was widespread use of iingress/egress filtering we would probably
see a decrease in some forms of attack such as certain types of Do. Of
course this comes at the added cost of the routers needing to proccess each
and every packet through the filters, which may lead to an adverse impact on
performance.
slightly off topic but still worth remembereing. Back on topic one should
always stick filters on therouter connecting you, or in the case of a
hosting center see what you can do wrt negotiating filtering as part of your
hosting contract.
Barry
On Thu 2002-06-27 (10:53), Kent Hundley wrote:
However, if the packets have a destination address in the RFC1918 space, I
think you can conclude that they are in fact originating from the segment on
the outside of your firewall. Unless something is seriously fubar'd on your
router _and_ your upstream ISP's router, there's no way short of source
routing to have packets with destination addresses in those ranges get to
your network from the Internet.
I would suspect either a misconfiguration of something on the outside of
your firewall or a compromise of something on the outside of your firewall.
Probably time to do some investigating of whatever devices you have on the
outside. I'd also start looking at the source MAC of the packets and see
what ports on your switch are seeing that source MAC.
HTH,
Kent
-----Original Message-----
From: Dirk Koopman [mailto:djk () tobit co uk]
Sent: Wednesday, June 26, 2002 8:49 AM
To: Incidents Mailing List
Subject: spoofed packets to RFC 1918 addresses
There seems to be a "tool" about, which is somehow able to
detect valid rfc1918 addresses behind a NATed firewall and is spoofing
from addresses using random (usually non-existant) addresses from the
class C on the internet side of that firewall.
It isn't doing them any good as the packets are being dumped before they
get to the 'visible' class C (as I am making sure that packets from that
class C emanate only from the interface attached to that class C).
However, I am interested to know:
a) how the attackers are able to "guess" correct (ie existing) rfc1918
addresses as, AFAIK, these are not being leaked thru the firewall.
b) how these packets are getting to me in the first place as they don't
seem to be source routed.
c) which "tool" is doing this anyway.
Regards
Dirk Koopman
--
Please Note: Some Quantum Physics Theories Suggest That When the
Consumer Is Not Directly Observing This Product, It May Cease to
Exist or Will Exist Only in a Vague and Undetermined State.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
--
Barry Irwin bvi () itouchlabs com +27214875177
Systems Administrator: Networks And Security
Itouch Labs http://www.itouchlabs.com South Africa
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
|
Intro
