nanog mailing list archives
Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
From: Jimmy Hess <mysidia () gmail com>
Date: Sun, 11 Aug 2013 08:23:22 -0500
A strange thought occurs.... Regarding, devices that unintentionally have SNMP open to the public. They might also have write access open, which could enable reconfiguring the device to facilitate full TCP spoofing, or opening up a tunnel; enabling 3 way handshake and everything, permitting the possible DDoS conditions to go well beyond simple UDP reflection. Those devices that just have SNMP read access; might reveal enough information in the exposed MIBs about the device, timestamps, connection table status..... for an attacker to successfully inject false data into a TCP stream. For example... spoofing a TCP message containing a false BGP route advertisement; if enough about the state of the router's TCP connection table and synchronization numbers, timestamp, and other hints about the state of the random number generator, can be discovered directly or indirectly through some piece of data in the SNMP MIB.... -- -Jimmy On Sun, Aug 11, 2013 at 7:45 AM, Florian Weimer <fw () deneb enyo de> wrote:
* Jared Mauch:Number of unique IPs that spoofed a packet to me. (eg: I sent a packet to 1.2.3.4 and 5.6.7.8 responded).That's not necessarily proof of spoofing, isn't it? The system in question might legitimately own IP addresses from very different networks. If the system is a router and the service you're pinging is not correctly implemented and it picks up the IP address of the outgoing interface instead of the source address of the request, that's totally expected. I'm not saying that BCP 38 is widely implement (it's not, unless operators have configured exceptions for ICMP traffic from private address, which I very much doubt). I just think you aren't actually measuring spoofing capabilities.
-- -Mysid
Current thread:
- Re: SNMP DDoS: the vulnerability you might not know you have bottiger (Jul 31)
- Re: SNMP DDoS: the vulnerability you might not know you have Mark Andrews (Jul 31)
- Re: SNMP DDoS: the vulnerability you might not know you have Saku Ytti (Jul 31)
- Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jared Mauch (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Matthew Petach (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jared Mauch (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Florian Weimer (Aug 11)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jimmy Hess (Aug 11)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jared Mauch (Aug 11)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Florian Weimer (Aug 11)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Christopher Morrow (Aug 11)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Florian Weimer (Aug 11)
- Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jared Mauch (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Heather Schiller (Aug 22)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Blake Dunlap (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Valdis . Kletnieks (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jared Mauch (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Blake Dunlap (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jared Mauch (Aug 08)