Security Incidents mailing list archives

Re: Ip spoof from 0.0.0.0

From: batz <batsy () vapour net>
Date: Thu, 7 Nov 2002 16:28:10 -0500 (EST)



Here are a number of speculative situations where spoofing
packets from 0.0.0.0 would be useful to an attacker:

- Finding hosts on a local subnet with a different default 
  route via another interface, like a vpn. (the machines that 
  don't respond are either filtering the port, or sending the 
  response out the other interface)

- Finding really old machines that respond to this as a broadcast. 

- Making the machines send acks or icmp port unreachable messages 
  to their routers. (send a syn, get an icmp msg in reply, kind of a 
  DoS, albeit sort of a limited one)

- A passive spoofed portscan with the attacker on the local 
  segment watching the response packets go out to the default 
  router.

- I also wonder if these packets get routed by routing gear, and if not, 
  do they send icmp packets back, and if so where do they send them? 

Here is some handwavy speculation, but it might be kinda cool. 

  If a host responds to the syn packet sourced from 0.0.0.0 with an ack, 
  it goes to the router either with the destination IP address rewritten
  with the default route addr of the host, or preserved as 0.0.0.0. The
  router could either forward it until it hits something without a default
  route or its ttl expires, or send back an unreachable message to the 
  host, which would indicate to a listening attacker whether default
  routing was in use, or if traffic was taking a different path down the
  road. 

  That's interesting. I bet you could use this detect if traffic 
  from a local host was taking a different route to the Internet. 

  That's pretty handy if you want to see if your traffic is getting 
  re-routed or worse, re-directed through a tunnel. What happens is 
  that while you are on a host on the subnet, you spoof a SYN from
  0.0.0.0 to an adjacent host (a.a.a.a). a.a.a.a responds with an ack 
  to 0.0.0.0, which is its default router, but with a legitimate source.  

  If the router forwards it as 0.0.0.0, any router that drops it will 
  send an unreachable icmp back to a.a.a.a. You watch that icmp message
  go by and decide whether it came from a legitimate router. However, 
  lets say traffic from that host is getting re-routed:

  If the device handling the redirected traffic recieves the ack from 
  a.a.a.a, it should either drop the packet and send an icmp unreachable, 
  or send an RST if it has services open on it. 

  It's all a very round-about way of doing things, but at least there are
  some reasons why one could imagine these packets as being hostile. 

Cheers, 


  







On Wed, 6 Nov 2002, Nexus wrote:

:Date: Wed, 6 Nov 2002 23:53:10 -0000
:From: Nexus <nexus () patrol i-way co uk>
:To: Frank Cheong <chocobofrank () hotmail com>,
:     Paul Gillingwater <paul () lanifex com>
:Cc: incidents () securityfocus com
:Subject: Re: Ip spoof from 0.0.0.0
:
:
:----- Original Message -----
:From: "Paul Gillingwater" <paul () lanifex com>
:To: "Frank Cheong" <chocobofrank () hotmail com>
:Cc: <incidents () securityfocus com>
:Sent: Wednesday, November 06, 2002 7:08 PM
:Subject: Re: Ip spoof from 0.0.0.0
:
:[snip]
:> your router, not the remote attacker.  The best you could do is ask your
:> upstream ISP to filter outgoing traffic to drop IP packets with invalid
:> source addresses like 0.0.0.0.
:[snip]
:
:Good advice, also good luck ;-)
:Try (tcp)tracerouting to RFC1918 addresses or IANA reserved netblocks
:through ISP's - quite scary how far you get sometimes before somebody with
:clue > 0 has been at the router configs and it gets dropped...
:
:Cheers.
:
:
:----------------------------------------------------------------------------
:This list is provided by the SecurityFocus ARIS analyzer service.
:For more information on this free incident handling, management 
:and tracking system please see: http://aris.securityfocus.com
:

-- 
batz


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Ip spoof from 0.0.0.0, (continued)
- - - Re: Ip spoof from 0.0.0.0 Crist J. Clark (Nov 06)
- Re: Ip spoof from 0.0.0.0 Pavel Kankovsky (Nov 06)
  - RE: Ip spoof from 0.0.0.0 Omar Herrera (Nov 07)
    - RE: Ip spoof from 0.0.0.0 Russell Fulton (Nov 07)
- RE: Ip spoof from 0.0.0.0 Omar Herrera (Nov 07)
- Re: Ip spoof from 0.0.0.0 Mike Maxwell (Nov 09)
- Re: Ip spoof from 0.0.0.0 Frank Cheong (Nov 06)
  - Re: Ip spoof from 0.0.0.0 Mike Lewinski (Nov 06)
  - Re: Ip spoof from 0.0.0.0 Paul Gillingwater (Nov 06)
    - Re: Ip spoof from 0.0.0.0 Nexus (Nov 07)
    - Re: Ip spoof from 0.0.0.0 batz (Nov 07)
    - Re: Ip spoof from 0.0.0.0 Jason Robertson (Nov 08)
- Re: Ip spoof from 0.0.0.0 David Gillett (Nov 08)
- Re: Ip spoof from 0.0.0.0 Hernan Otero (Nov 08)
- RE: Ip spoof from 0.0.0.0 Onsite West Houston (Nov 11)
- RE: Ip spoof from 0.0.0.0 Ingersoll, Jared (Nov 11)
- RE: Ip spoof from 0.0.0.0 Steenbergen, Dennis, Contractor (Nov 12)