Security Incidents mailing list archives

Re: Private networks and home.{net|com}


From: raane () WMDATA COM (Rasmus Andersson)
Date: Thu, 10 Feb 2000 13:29:26 +0100


OK, you've convinced me!  That is a hard-to-trace bandwidth-eating
attack. I copy this to the list again, to correct my not-so-humble
statements:-)

I focused too much on how a particular host could be misleaded by a
spoofed ICMP-unreachable, and that if it can, you could spoof it as from
any non-private source address anyway. But you are right of course.

I persist in saying that (except for private addresses :) one should not
filter all and any ICMP packets without thinking of the implications.
Many do.

Speaking of screening, will it ever be possible to _force_ all ISP's to
filter outbound spoofed traffic (including, but not limited to, private
nets) originating from their networks? I understand there is a
performance issue but most ISP's have a relatively small number of large
IP blocks.

regards
Rasmus

Donald McLachlan wrote:

Hello Rasmus,

Why would private source addresses on routers be a problem?

I'll change that question to start off with, and then answer it directly
afterwards.

Allowing packets with private source IP addresses (or packets with source
addresses that are not "from" your network) to leave your network makes it
very easy for attackers to hide the source of a DoS.  If all organisations
did egress filtering, those DoS attacks would be blocked. (Raising the bar).

As for private IP addresses and routers, consider the following packet:

20:06:17.206448 207.158.65.20 > 142.92.19.0: icmp: net 141.78.191.251 unreachable - admin prohibited (ttl 54, id 
4867)
                       4500 0038 1303 0000 3601 bfb3 cf9e 4114
                       8e5c 1300 0309 c8ca 0000 0000 4500 0028
                       5302 0000 fe06 7b27 8e5c 1300 8d4e bffb
                       1af2 1e1b 4457

- someone is crafting packets and spoofing the source address as being from us.
- the destination address is unreachable.
- a router (max of 2 hops from the source host) sends the unreachable message
  back to the spoofed address (us).
- lots of these packets = a DoS.

Consider the following 3 scenarios:

- Above, because the router used a valid address, one could contact the
  ISP, who in turn could track down the (likely compromised) host generating
  the traffic.
- If the router address had been private and the packet had been blocked by
  egress filtering, the packets would never leave the ISP's net and would
  never reach us and we are not DoS'ed.
- If the router address had been private and the packet had not been blocked
  by egress filtering, not only do we get DoS'ed, but we also cannot contact
  the ISP because it is only the source address of the router which identifies
  the ISP.  (Because one cannot look up 10.a.b.c in ripe/arin.)

I want ISP's either to configure their routers with routable addresses,
or to use private addesses and to do egress filtering to prevent packets
with those source addresses form leaving their network.  Otherwise you
have a configuration which supports anonymous denial of service attacks.

Don


Current thread: