Security Basics mailing list archives

Re: IPspoofing

From: <Steve.Cummings () barclayscapital com>
Date: Thu, 6 Oct 2005 06:32:47 +0100

Look at cisco guard and mars or iss proventia is designed to mitigate dos and ddos
 

-----Original Message-----
From: David Gillett <gillettdavid () fhda edu>
To: security-basics () securityfocus com <security-basics () securityfocus com>
Sent: Wed Oct 05 17:13:06 2005
Subject: RE: IPspoofing

  The short answer is that, especially if the threat is DDoS, you can't.

  Spoofed traffic may come in four basic forms:

1.  An interactive attacker may spoof his source address in order
    to disguise the true source of the attack.  But in order to
    be interactive, return packets from your network have to be 
    available to him.  So this probably means that he has to
    either have internal access to an ISP, or be able to advertise
    bogus BGP routes, or something similar, and even in those cases
    the range of spoofable source addresses will be more and more
    constrained the further from your network he is.

2.  A non-interactive attacker can send packets to you which do
    not require return traffic to do their damage.  SQL Slammer,
    for instance, is delivered in a single UDP packet.  This kind 
    of traffic has to be filtered on some other basis than source
    address validation.  A SYN flood attack would also fit in this
    category.

3.  A common DDOS attack is to use up bandwidth, making it unavailable
    for legitimate traffic.  So if you block these packets at your
    perimeter, their damage may already have been done to the pipe
    between your network and your provider.  Spoofing source addresses
    will make it harder for your provider to filter this out or track 
    it to its source.

4.  Internal abusers may try to disguise themselves, possibly as other
    legitimate users.  In most cases, you can probably find the real
    traffic source by its MAC address, and if you get a user who
    spoofs that then ARPwatch can probably catch them.

  But I'm not sure it's internal threats you're asking about.  It sounds
like the scenarios you're most concerned about are #2 and #3, and for those
you basically have no way to recognize a spoofed source and must find other
ways to block the attack.

David Gillett

-----Original Message-----
From: Edgar EZL. Zapata Lucas [mailto:ezapata () grupodetector com]
Sent: Tuesday, October 04, 2005 1:04 AM
To: security-basics () securityfocus com
Subject: IPspoofing

We are concerned we are subject to dDOS attacks or any other like 
social eng, spoofing or password guessing.
We have little evidence, but want to be protected.

Since we have very little experience in security issues, how can we 
protect -at a practical level- against a let's say IP spoofing attack?
I know I can set up filters to drop external packets with internal 
source addresses, but I need to possitively prevent this issue at a 
practical level.
Have no idea where to start.  

Any help will be much appreciated.

Thanks and regards.

Edgar Zapata Lucas
IT Department.  CCNA - MCP
Departamento de Sistemas
DETECTOR, S.A.
Tel:  +34-91 490 30 30
Fax: +34 91 662 67 04
www.grupodetector.com
ezapata () grupodetector com

Este mensaje puede contener información confidencial y/o privilegiada.
Si Vd. no es el destinatario de este mensaje o ha recibido este 
mensaje por error, por favor, informe inmediatamente al emisor y 
destruya este mensaje. Está estrictamente prohibido por la legislación 
vigente realizar sin autorización cualquier copia, revelación o 
distribución de este mensaje.
Las opiniones expresadas en este correo son las de su autor y 
DETECTOR, S.A. no se responsabiliza de su contenido.

This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail in 
error), please notify the sender immediately and destroy this e-mail. 
Any unauthorised copying, disclosure or distribution of the material 
in this e-mail is strictly forbidden by current legislation. The 
points of view expressed in this e-mail are solely those of the author 
and may not necessarily be from, or supported by, the company.
DETECTOR S.A. neither assumes obligations nor accepts liability for 
the content of this e-mail, unless that information is subsequently 
confirmed by writing by a duly authorised representative






------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.


Internet communications are not secure and therefore the Barclays 
Group does not accept legal responsibility for the contents of this 
message.  Although the Barclays Group operates anti-virus programmes, 
it does not accept responsibility for any damage whatsoever that is 
caused by viruses being passed.  Any views or opinions presented are 
solely those of the author and do not necessarily represent those of the 
Barclays Group.  Replies to this email may be monitored by the Barclays 
Group for operational or business reasons.

------------------------------------------------------------------------

Current thread:

IPspoofing Edgar EZL. Zapata Lucas (Oct 04)
- <Possible follow-ups>
- Re: IPspoofing Steve.Cummings (Oct 05)
- RE: IPspoofing David Gillett (Oct 05)
- Re: IPspoofing Steve.Cummings (Oct 06)