Security Incidents mailing list archives
Re: Private networks and home.{net|com}
From: jpapen () YAHOO COM (Jeffrey Papen)
Date: Thu, 10 Feb 2000 15:56:22 -0800
This is a very difficult thing to do given the large number of portable blocks out there. A large web site (like Excite) may have many portable address spaces that they advertise via BGP to many ISPs. Each ISP would have to "dynamically" learn from BGP advertisements what routes are allowed and block everything else *on a per port basis for every peering router*. However, this would kill asymmetric routing. If one wanted packets to go out one interface and return via another link (for pricing, reliability or whatever other reason they chose) the above BGP list would drop those packets. If a dynamic learning method was too difficult, I doubt the ISP would be keen on manually changing their ACLs every time you get another subnet or add more interfaces. It boils down to a scalability issue and unfortunately, there is no easy way to track every IP that is allowed to originate on any given link. - Jeffrey --- Rasmus Andersson <raane () WMDATA COM> wrote:
OK, you've convinced me! That is a hard-to-trace bandwidth-eating attack. I copy this to the list again, to correct my not-so-humble statements :-) I focused too much on how a particular host could be misleaded by a spoofed ICMP-unreachable, and that if it can, you could spoof it as from any non-private source address anyway. But you are right of course. I persist in saying that (except for private addresses :) one should not filter all and any ICMP packets without thinking of the implications. Many do. Speaking of screening, will it ever be possible to _force_ all ISP's to filter outbound spoofed traffic (including, but not limited to, private nets) originating from their networks? I understand there is a performance issue but most ISP's have a relatively small number of large IP blocks. regards Rasmus Donald McLachlan wrote:Hello Rasmus,Why would private source addresses on routers be a problem?I'll change that question to start off with, and then answer it directly afterwards. Allowing packets with private source IP addresses (or packets with source addresses that are not "from" your network) to leave your network makes it very easy for attackers to hide the source of a DoS. If all organisations did egress filtering, those DoS attacks would be blocked. (Raising thebar).As for private IP addresses and routers, consider the following packet:20:06:17.206448 207.158.65.20 > 142.92.19.0: icmp: net 141.78.191.251unreachable - admin prohibited (ttl 54, id 4867)4500 0038 1303 0000 3601 bfb3 cf9e 4114 8e5c 1300 0309 c8ca 0000 0000 4500 0028 5302 0000 fe06 7b27 8e5c 1300 8d4e bffb 1af2 1e1b 4457- someone is crafting packets and spoofing the source address as being fromus.- the destination address is unreachable. - a router (max of 2 hops from the source host) sends the unreachablemessageback to the spoofed address (us). - lots of these packets = a DoS. Consider the following 3 scenarios: - Above, because the router used a valid address, one could contact the ISP, who in turn could track down the (likely compromised) hostgeneratingthe traffic. - If the router address had been private and the packet had been blocked by egress filtering, the packets would never leave the ISP's net and would never reach us and we are not DoS'ed. - If the router address had been private and the packet had not beenblockedby egress filtering, not only do we get DoS'ed, but we also cannotcontactthe ISP because it is only the source address of the router whichidentifiesthe ISP. (Because one cannot look up 10.a.b.c in ripe/arin.) I want ISP's either to configure their routers with routable addresses, or to use private addesses and to do egress filtering to prevent packets with those source addresses form leaving their network. Otherwise you have a configuration which supports anonymous denial of service attacks. Don
===== Yahoo Network Operations work: 408-616-3897 page: 408-619-0572 cell: 650-580-2684 email: jeffrey () papen com __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
Current thread:
- Re: Private networks and home.{net|com} Sachs, Marcus (Feb 08)
- Re: Private networks and home.{net|com} Rasmus Andersson (Feb 09)
- Re: Private networks and home.{net|com} Pavel Kankovsky (Feb 10)
- <Possible follow-ups>
- Re: Private networks and home.{net|com} Andersson, Rasmus (Feb 08)
- Re: Private networks and home.{net|com} Marc Slemko (Feb 09)
- Re: Private networks and home.{net|com} Sachs, Marcus (Feb 09)
- Re: Private networks and home.{net|com} Rasmus Andersson (Feb 10)
- Re: Private networks and home.{net|com} Jeffrey Papen (Feb 10)
- Re: Private networks and home.{net|com} Jeffrey Papen (Feb 10)
- Re: Private networks and home.{net|com} Rasmus Andersson (Feb 09)
