Security Basics mailing list archives
Re: IP Spoofing/Masquarading
From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Wed, 09 Sep 2009 13:45:56 -0400
On Wed, 2009-09-09 at 09:40 -0430, Gerardo Castillo Alvarado wrote:
M.D.Mufambisi escribió:However, when this is done across the internet, with a private IP address in its source field, how does this packet get routed through the internet?Supposedly, routers are not programmed to forward traffic with these address ranges (FRC1918) outside of local organizations;
Sort of. Most routers will happily forward traffic _to_ a private if they have a default route setting. It is usually not a problem till you hit the first BGP router which will return an ICMP type 3 as private addresses are not advertised. When traffic originates from a private address however, little is usually done to stop it. It is not till the target host attempts to respond that an error gets generated (again, by the first upstream BGP router. With that said, there are multiple techniques to deal with traffic when the source IP address is private. Egress filtering is probably the easiest, although reverse path routing works as well. Most ISPs do not implement these techniques due to the additional overhead. Not saying I agree or disagree with this posture, just that it happens. Check any firewall log and you will occasionally see private addresses as the source IP.
nevertheless, all border routers should drop all incoming packet somewhat quirky...
Agreed. Don't count on someone else cleaning this up for you. Implement an ingress filter blocking private addresses as the source IP and it becomes a non-issue. For most clients I extend this to include bogon addresses as its a great way to detect/mitigate SYN floods.
On the other hand, there are preceding to intercept internet traffic though with other techniques [1]. [1] http://www.wired.com/threatlevel/2008/08/revealed-the-in/
Kind of funny to see this making the rounds again. I remember this attack being discussed 10 years ago as one of the reasons we needed sBGP. Good (but old) paper can be found here that talks about the attack indirectly: http://www.isoc.org/isoc/conferences/ndss/2000/proceedings/045.pdf HTH, Chris -- www.chrisbrenton.org ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: IP Spoofing/Masquarading, (continued)
- Re: IP Spoofing/Masquarading Robert Portvliet (Sep 11)
- Re: IP Spoofing/Masquarading Marco Ivaldi (Sep 11)
- Re: IP Spoofing/Masquarading M.D.Mufambisi (Sep 11)
- Re: IP Spoofing/Masquarading Jack Carrozzo (Sep 11)
- RE: IP Spoofing/Masquarading David_Falloon (Sep 11)
- Message not available
- Re: IP Spoofing/Masquarading M.D.Mufambisi (Sep 11)
- Re: IP Spoofing/Masquarading Brad Edmondson (Sep 11)
- Re: IP Spoofing/Masquarading Fabien Vincent (Sep 11)
- Re: IP Spoofing/Masquarading M.D.Mufambisi (Sep 11)
- Re: IP Spoofing/Masquarading matteo filippetto (Sep 11)
- Re: IP Spoofing/Masquarading Gerardo Castillo Alvarado (Sep 11)
- Re: IP Spoofing/Masquarading Chris Brenton (Sep 11)
- RE: IP Spoofing/Masquarading Erik Soosalu (Sep 11)
- Re: IP Spoofing/Masquarading Gerardo Castillo Alvarado (Sep 11)
- Re: IP Spoofing/Masquarading aditya mukadam (Sep 11)
- RE: IP Spoofing/Masquarading Erik Soosalu (Sep 11)
- Re: IP Spoofing/Masquarading R. DuFresne (Sep 11)
- Re: IP Spoofing/Masquarading James Bensley (Sep 11)