Penetration Testing mailing list archives
Re: IP Spoofing/Masquarading
From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Wed, 09 Sep 2009 13:45:56 -0400
On Wed, 2009-09-09 at 09:40 -0430, Gerardo Castillo Alvarado wrote:
M.D.Mufambisi escribió:However, when this is done across the internet, with a private IP address in its source field, how does this packet get routed through the internet?Supposedly, routers are not programmed to forward traffic with these address ranges (FRC1918) outside of local organizations;
Sort of. Most routers will happily forward traffic _to_ a private if they have a default route setting. It is usually not a problem till you hit the first BGP router which will return an ICMP type 3 as private addresses are not advertised. When traffic originates from a private address however, little is usually done to stop it. It is not till the target host attempts to respond that an error gets generated (again, by the first upstream BGP router. With that said, there are multiple techniques to deal with traffic when the source IP address is private. Egress filtering is probably the easiest, although reverse path routing works as well. Most ISPs do not implement these techniques due to the additional overhead. Not saying I agree or disagree with this posture, just that it happens. Check any firewall log and you will occasionally see private addresses as the source IP.
nevertheless, all border routers should drop all incoming packet somewhat quirky...
Agreed. Don't count on someone else cleaning this up for you. Implement an ingress filter blocking private addresses as the source IP and it becomes a non-issue. For most clients I extend this to include bogon addresses as its a great way to detect/mitigate SYN floods.
On the other hand, there are preceding to intercept internet traffic though with other techniques [1]. [1] http://www.wired.com/threatlevel/2008/08/revealed-the-in/
Kind of funny to see this making the rounds again. I remember this attack being discussed 10 years ago as one of the reasons we needed sBGP. Good (but old) paper can be found here that talks about the attack indirectly: http://www.isoc.org/isoc/conferences/ndss/2000/proceedings/045.pdf HTH, Chris -- www.chrisbrenton.org ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- IP Spoofing/Masquarading M.D.Mufambisi (Sep 09)
- Re: IP Spoofing/Masquarading Gerardo Castillo Alvarado (Sep 09)
- RE: IP Spoofing/Masquarading Erik Soosalu (Sep 09)
- Re: IP Spoofing/Masquarading Chris Brenton (Sep 09)
- RE: IP Spoofing/Masquarading David_Falloon (Sep 09)
- Re: IP Spoofing/Masquarading Robert Portvliet (Sep 09)
- Re: IP Spoofing/Masquarading James Bensley (Sep 09)
- Message not available
- Re: IP Spoofing/Masquarading M.D.Mufambisi (Sep 09)
- Re: IP Spoofing/Masquarading Fabien Vincent (Sep 09)
- Re: IP Spoofing/Masquarading M.D.Mufambisi (Sep 09)
- Re: IP Spoofing/Masquarading Gerardo Castillo Alvarado (Sep 09)
- Re: IP Spoofing/Masquarading Marco Ivaldi (Sep 09)
- Re: IP Spoofing/Masquarading M.D.Mufambisi (Sep 09)
- Re: IP Spoofing/Masquarading matteo filippetto (Sep 09)
- Message not available
- Re: IP Spoofing/Masquarading M.D.Mufambisi (Sep 09)
- Re: IP Spoofing/Masquarading Sebastiaan (Sep 09)
- Re: IP Spoofing/Masquarading M.D.Mufambisi (Sep 09)