Security Incidents mailing list archives

Re: Private networks and home.{net|com}


From: jpapen () YAHOO COM (Jeffrey Papen)
Date: Thu, 10 Feb 2000 15:56:22 -0800


This is a very difficult thing to do given the large number of portable blocks
out there.  A large web site (like Excite) may have many portable address
spaces that they advertise via BGP to many ISPs.  Each ISP would have to
"dynamically" learn from BGP advertisements what routes are allowed and block
everything else *on a per port basis for every peering router*.

However, this would kill asymmetric routing.  If one wanted packets to go out
one interface and return via another link (for pricing, reliability or whatever
other reason they chose) the above BGP list would drop those packets.

If a dynamic learning method was too difficult, I doubt the ISP would be keen
on manually changing their ACLs every time you get another subnet or add more
interfaces.

It boils down to a scalability issue and unfortunately, there is no easy way to
track every IP that is allowed to originate on any given link.

- Jeffrey

--- Rasmus Andersson <raane () WMDATA COM> wrote:
OK, you've convinced me!  That is a hard-to-trace bandwidth-eating
attack. I copy this to the list again, to correct my not-so-humble
statements :-)

I focused too much on how a particular host could be misleaded by a
spoofed ICMP-unreachable, and that if it can, you could spoof it as from
any non-private source address anyway. But you are right of course.

I persist in saying that (except for private addresses :) one should not
filter all and any ICMP packets without thinking of the implications.
Many do.

Speaking of screening, will it ever be possible to _force_ all ISP's to
filter outbound spoofed traffic (including, but not limited to, private
nets) originating from their networks? I understand there is a
performance issue but most ISP's have a relatively small number of large
IP blocks.

regards
Rasmus

Donald McLachlan wrote:

Hello Rasmus,

Why would private source addresses on routers be a problem?

I'll change that question to start off with, and then answer it directly
afterwards.

Allowing packets with private source IP addresses (or packets with source
addresses that are not "from" your network) to leave your network makes it
very easy for attackers to hide the source of a DoS.  If all organisations
did egress filtering, those DoS attacks would be blocked. (Raising the
bar).

As for private IP addresses and routers, consider the following packet:

20:06:17.206448 207.158.65.20 > 142.92.19.0: icmp: net 141.78.191.251
unreachable - admin prohibited (ttl 54, id 4867)
                       4500 0038 1303 0000 3601 bfb3 cf9e 4114
                       8e5c 1300 0309 c8ca 0000 0000 4500 0028
                       5302 0000 fe06 7b27 8e5c 1300 8d4e bffb
                       1af2 1e1b 4457

- someone is crafting packets and spoofing the source address as being from
us.
- the destination address is unreachable.
- a router (max of 2 hops from the source host) sends the unreachable
message
  back to the spoofed address (us).
- lots of these packets = a DoS.

Consider the following 3 scenarios:

- Above, because the router used a valid address, one could contact the
  ISP, who in turn could track down the (likely compromised) host
generating
  the traffic.
- If the router address had been private and the packet had been blocked by
  egress filtering, the packets would never leave the ISP's net and would
  never reach us and we are not DoS'ed.
- If the router address had been private and the packet had not been
blocked
  by egress filtering, not only do we get DoS'ed, but we also cannot
contact
  the ISP because it is only the source address of the router which
identifies
  the ISP.  (Because one cannot look up 10.a.b.c in ripe/arin.)

I want ISP's either to configure their routers with routable addresses,
or to use private addesses and to do egress filtering to prevent packets
with those source addresses form leaving their network.  Otherwise you
have a configuration which supports anonymous denial of service attacks.

Don


=====
Yahoo Network Operations
work: 408-616-3897
page: 408-619-0572
cell: 650-580-2684
email: jeffrey () papen com
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com


Current thread: