Security Incidents mailing list archives
Re: Private networks and home.{net|com}
From: raane () WMDATA COM (Rasmus Andersson)
Date: Thu, 10 Feb 2000 13:29:26 +0100
OK, you've convinced me! That is a hard-to-trace bandwidth-eating attack. I copy this to the list again, to correct my not-so-humble statements:-) I focused too much on how a particular host could be misleaded by a spoofed ICMP-unreachable, and that if it can, you could spoof it as from any non-private source address anyway. But you are right of course. I persist in saying that (except for private addresses :) one should not filter all and any ICMP packets without thinking of the implications. Many do. Speaking of screening, will it ever be possible to _force_ all ISP's to filter outbound spoofed traffic (including, but not limited to, private nets) originating from their networks? I understand there is a performance issue but most ISP's have a relatively small number of large IP blocks. regards Rasmus Donald McLachlan wrote:
Hello Rasmus,Why would private source addresses on routers be a problem?I'll change that question to start off with, and then answer it directly afterwards. Allowing packets with private source IP addresses (or packets with source addresses that are not "from" your network) to leave your network makes it very easy for attackers to hide the source of a DoS. If all organisations did egress filtering, those DoS attacks would be blocked. (Raising the bar). As for private IP addresses and routers, consider the following packet:20:06:17.206448 207.158.65.20 > 142.92.19.0: icmp: net 141.78.191.251 unreachable - admin prohibited (ttl 54, id 4867) 4500 0038 1303 0000 3601 bfb3 cf9e 4114 8e5c 1300 0309 c8ca 0000 0000 4500 0028 5302 0000 fe06 7b27 8e5c 1300 8d4e bffb 1af2 1e1b 4457- someone is crafting packets and spoofing the source address as being from us. - the destination address is unreachable. - a router (max of 2 hops from the source host) sends the unreachable message back to the spoofed address (us). - lots of these packets = a DoS. Consider the following 3 scenarios: - Above, because the router used a valid address, one could contact the ISP, who in turn could track down the (likely compromised) host generating the traffic. - If the router address had been private and the packet had been blocked by egress filtering, the packets would never leave the ISP's net and would never reach us and we are not DoS'ed. - If the router address had been private and the packet had not been blocked by egress filtering, not only do we get DoS'ed, but we also cannot contact the ISP because it is only the source address of the router which identifies the ISP. (Because one cannot look up 10.a.b.c in ripe/arin.) I want ISP's either to configure their routers with routable addresses, or to use private addesses and to do egress filtering to prevent packets with those source addresses form leaving their network. Otherwise you have a configuration which supports anonymous denial of service attacks. Don
Current thread:
- Re: Private networks and home.{net|com} Sachs, Marcus (Feb 08)
- Re: Private networks and home.{net|com} Rasmus Andersson (Feb 09)
- Re: Private networks and home.{net|com} Pavel Kankovsky (Feb 10)
- <Possible follow-ups>
- Re: Private networks and home.{net|com} Andersson, Rasmus (Feb 08)
- Re: Private networks and home.{net|com} Marc Slemko (Feb 09)
- Re: Private networks and home.{net|com} Sachs, Marcus (Feb 09)
- Re: Private networks and home.{net|com} Rasmus Andersson (Feb 10)
- Re: Private networks and home.{net|com} Jeffrey Papen (Feb 10)
- Re: Private networks and home.{net|com} Jeffrey Papen (Feb 10)
- Re: Private networks and home.{net|com} Rasmus Andersson (Feb 09)
