Re: IP Spoofing/Masquarading

[Chris Brenton <cbrenton () chrisbrenton org>]

On Wed, 2009-09-09 at 09:40 -0430, Gerardo Castillo Alvarado wrote:
> M.D.Mufambisi escribió:
> > However, when this is done across the internet, with a private IP
> > address in its source field, how does this packet get routed through
> > the internet?
> >   
> Supposedly, routers are not programmed to forward traffic with these
> address ranges (FRC1918) outside of local organizations;

Sort of. Most routers will happily forward traffic _to_ a private if
they have a default route setting. It is usually not a problem till you
hit the first BGP router which will return an ICMP type 3 as private
addresses are not advertised.

When traffic originates from a private address however, little is
usually done to stop it. It is not till the target host attempts to
respond that an error gets generated (again, by the first upstream BGP
router.

With that said, there are multiple techniques to deal with traffic when
the source IP address is private. Egress filtering is probably the
easiest, although reverse path routing works as well. Most ISPs do not
implement these techniques due to the additional overhead. Not saying I
agree or disagree with this posture, just that it happens. Check any
firewall log and you will occasionally see private addresses as the
source IP.

>  nevertheless,
> all border routers should drop all incoming packet somewhat quirky...

Agreed. Don't count on someone else cleaning this up for you. Implement
an ingress filter blocking private addresses as the source IP and it
becomes a non-issue. For most clients I extend this to include bogon
addresses as its a great way to detect/mitigate SYN floods.

> On the other hand, there are preceding to intercept internet traffic
> though with other techniques [1].
>
> [1] http://www.wired.com/threatlevel/2008/08/revealed-the-in/

Kind of funny to see this making the rounds again. I remember this
attack being discussed 10 years ago as one of the reasons we needed
sBGP. Good (but old) paper can be found here that talks about the attack
indirectly:
http://www.isoc.org/isoc/conferences/ndss/2000/proceedings/045.pdf

HTH,
Chris
-- 
www.chrisbrenton.org


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------