Penetration Testing mailing list archives

spoofing 255.255.255.255 techniques

From: Curt Wilson <netw3 () netw3 com>
Date: 5 Jul 2001 22:17:04 -0000


Our PIX has detected an IP spoof from 
255.255.255.255 to one of our servers. Research 
here on securityfocus reveals that some attackers 
have used this technique with a destination port 515 
(LPR) and source 31337 (eleet) in scanning 
attempts. You can read about this at on the firewalls 
list at 
http://www.securityfocus.com/archive/19/187958

Our PIX does not indicate source or destination ports 
perhaps because the "IP spoof" criteria was already 
triggered in its logic chain, denying the packet and 
making a syslog entry.

We don't have an IDS outside the firewall so I don't 
have any more packet details which makes it very 
hard to do proper analysis.

The only other references I've seen to something of 
this nature can be found in Dragos Ruiu's 
paper "Cautionary Tales: Stealth Coordinated Attack 
HOWTO" at 
http://www.dursec.com/articles/stealthhowto.html 
when talking about DSLAM infrastructure issues 
states:  "In easy cases, the equipment rack will 
bridge broadcast traffic between the "marshmallow" 
and the target, allowing use of address resolution 
traffic such as ARP and DHCP to be used for system 
attacks and control. For stealth, these kinds of attack 
bases are excellent too, because the broadcast 
traffic is largely repetitive, very voluminous, and 
mostly uninteresting, which, combined with a great 
immaturity among the security tools for this kind of 
traffic, make it a ripe vulnerability area" 

This quote is of interest because the server in 
question uses DSL.

Another reference to traffic of this nature can be 
found in the excellent paper "A stateful inspection of 
Firewall-1" by Dug Song, Thomas Lopatic and  John 
McDonald at 
http://www.dataprotect.com/bh2000/blackhat-
fw1.html which states "Another possibility for evading 
IP spoofing protection is to use the all-hosts multicast 
address (224.0.0.1) as a mechanism for delivering 
packets to the underlying operating system of the 
firewall. For our demonstration, we used FWZ 
encapsulation to spoof a packet from the multicast 
address to our attack host, allowing us to respond 
with a packet sent to the multicast address, passed 
on to the firewall itself. This attack can also be 
performed with broadcast addresses."

I realize that both of these references don't refer 
directly to such a packet but I am curious about these 
techniques. 

Thank you,
Curt Wilson
Netw3

--------------------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to 
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/

Current thread:

spoofing 255.255.255.255 techniques Curt Wilson (Jul 05)
- Re: spoofing 255.255.255.255 techniques Blake Frantz (Jul 06)
- <Possible follow-ups>
- Fwd: Re: spoofing 255.255.255.255 techniques MIKE DONOFRIO (Jul 06)
  - Re: Fwd: Re: spoofing 255.255.255.255 techniques Jason Ackley (Jul 07)
- RE: Re: spoofing 255.255.255.255 techniques Erik Nodland (Jul 11)
  - Re: Re: spoofing 255.255.255.255 techniques Ron Russell (Jul 12)