Security Incidents mailing list archives
Re: spoofed packets to RFC 1918 addresses
From: Daniel Polombo <polombo () cartel-securite fr>
Date: Thu, 27 Jun 2002 08:42:08 +0200
Dirk Koopman wrote:
a) how the attackers are able to "guess" correct (ie existing) rfc1918addresses as, AFAIK, these are not being leaked thru the firewall.
There are at least two possibilies that spring to mind :- if you are using a web proxy for your protected network(s), the proxy may be adding an X-Forwarded-For field containing the rfc1918 address. Other protocols might provide the same kind of information as well.
- in some cases, the firewall may leak information about the protected network if there is some DNAT set up (and in particular, the recent advisory named "Linux Netfilter NAT/ICMP code information leak" by Philippe Biondi).
b) how these packets are getting to me in the first place as they don'tseem to be source routed.
That's the real catch. I think a number ISPs don't filter rfc1918 addresses within their domains, letting BGP4 make sure they don't get routed outside instead. So, theoretically, a spoofed packet could make its way to a target not too far away (eg, within the same AS).
I don't know of any automated tools who would do that, but building one using antirez's hping, for instance, shouldn't be too hard.
HTH, Daniel. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- spoofed packets to RFC 1918 addresses Dirk Koopman (Jun 26)
- Re: spoofed packets to RFC 1918 addresses measl (Jun 27)
- RE: spoofed packets to RFC 1918 addresses Kent Hundley (Jun 27)
- Re: spoofed packets to RFC 1918 addresses Barry Irwin (Jun 28)
- Re: spoofed packets to RFC 1918 addresses Daniel Polombo (Jun 27)
- Re: spoofed packets to RFC 1918 addresses jon schatz (Jun 27)
- Re: spoofed packets to RFC 1918 addresses Robert E. Lee (Jun 27)
- <Possible follow-ups>
- RE: spoofed packets to RFC 1918 addresses Shane Carroll (Jun 27)
- Fw: spoofed packets to RFC 1918 addresses HggdH (Jun 27)
- RE: spoofed packets to RFC 1918 addresses Sterling, Chuck (Jun 28)
- RE: spoofed packets to RFC 1918 addresses Keith T. Morgan (Jun 28)