Firewall Wizards mailing list archives
Re: IP Spoofing.
From: William Stearns <wstearns () pobox com>
Date: Sun, 19 Sep 1999 13:29:58 -0400 (EDT)
Good day, Christopher,
Quick disclaimer - I do _not_ claim to be a wizard in this area
and would welcome any corrections to any mistakes I make below. I'm
basing this on my best understanding of the topic, which is incomplete.
On Fri, 17 Sep 1999, Christopher C. Petro wrote:
Ok, this is probably not the kind of request that most of you will want to answer, but I just got in an argument with my boss about IP spoofing. He claims it is not possible to spoof an IP number, whilst I am almost certain it is. Could anyone provide me with a link or pointer to information that I could use to prove him wrong, or to information that proves me wrong?
Here's a proof of concept. I'm certain others on this list can
come up with something more elegant, but this at least shows it can be
done.
Say your ethernet network is 12.13.14.0 and I want to create
packets that appear to be coming from 12.13.14.15 because I know it has
the ability to talk to the NFS server at 12.13.14.200. Here's how I
configure my Linux box on the Internet:
ifconfig ppp0:1 12.13.14.15 netmask 255.255.255.255 up
route add -host 12.13.14.200 dev ppp0:1
Now I ping 12.13.14.200 and the ping packet goes out from my
machine with a source address of 12.13.14.15 (see below for output). If
your firewall doesn't look to see on which interface a packet arrives,
it'll accept this packet from the outside world and send it on to the
ethernet lan as if 12.13.14.15 itself had created the packet.
To be sure, 12.13.14.200 will send any responses to spoofed
packets back to the _real_ 12.13.14.15. This is what makes it hard to
hold a real conversation with 12.13.14.200, and especially hard to do the
3 way handshake for tcp. Depending on the OS on .15 and how smart its ip
stack is, this might be next to impossible or just an annoying short
delay.
If you don't have access to a Linux box or this example doesn't
work for you, think about this: IP packets are nothing more than strings
of bytes. Linux and other OS's allow you to create these packets by hand
if you choose and will gladly send these out on the wire. Routers in
between make routing choices based on the _destination_ address. You have
the ability to insert any 4 byte value into the source address location.
On the other hand, it's certainly possible that the machine being
asked to spoof the packets, a router or firewall at the ISP, or any other
router or firewall in between might _drop_ the spoofing packet for having
a source address it shouldn't have, but none of the above are required to
do so.
One way to kill spoofed packets is the following. For each
network in your routing table (including 127.0.0.0/8, but not including
the default route), put in the following rule:
if a packet with a source address in network Q arrives on a NIC other than
the one leading to Q, drop it.
The loopback interface needs a special exemption from spoofing;
if my eth0 ip is 192.168.11.12, it's perfectly legal to telnet to
192.168.11.12. The packets for this telnet session will have both the
source and destination IP addresses set to 192.168.11.12, which would
normally have been dropped by the above spoof blocker.
Cheers,
- Bill
Ping command:
[wstearns@mylinuxbox /]$ ping 12.13.14.200
PING 12.13.14.200 (12.13.14.200) from 12.13.14.15 : 56 data bytes
[ctrl-c pressed]
--- 12.13.14.200 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
And the tcpdump of the ppp0 interface:
[root@mylinuxbox /]# tcpdump -i ppp0 -qtn
tcpdump: listening on ppp0
12.13.14.15 > 12.13.14.200: icmp: echo request
12.13.14.15 > 12.13.14.200: icmp: echo request
12.13.14.15 > 12.13.14.200: icmp: echo request
---------------------------------------------------------------------------
Q: Is it possible to set up masquerading timeouts that TCP
connection never expires even if there are no any packets traveling?
A: Sure.
# ipchains -M -S 13564800 0 0
That'll last you up until January 1, 2000, and after the rioting
will start and you won't have to worry about masquerading any more. 8-)
-- Paul Rusty Russell <Paul.Russell () rustcorp com au>
--------------------------------------------------------------------------
William Stearns (wstearns () pobox com). Mason, Buildkernel, named2hosts,
and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns/
--------------------------------------------------------------------------
Current thread:
- IP Spoofing. Christopher C. Petro (Sep 18)
- Re: IP Spoofing. William Stearns (Sep 19)
- Re: IP Spoofing. Tim Kramer (Sep 20)
- RE: IP Spoofing. Joseph Williams (Sep 20)
- Re: IP Spoofing. altellez (Sep 21)
- Re: IP Spoofing. Carric Dooley (Sep 28)
- Re: IP Spoofing. Randy Witlicki (Sep 29)
- Re: IP Spoofing. Paul D. Robertson (Sep 30)
- Re: IP Spoofing. Peter J. Kunz (Sep 30)
- Re: IP Spoofing. Ivan Arce (Sep 30)
- Re: IP Spoofing. Emiliano Kargieman (Sep 30)
- RE: IP Spoofing. Kurt Buff (Sep 30)
- Re: IP Spoofing. Randy Witlicki (Sep 29)
(Thread continues...)