Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: spoofed packets to RFC 1918 addresses

From: Daniel Polombo <polombo () cartel-securite fr>
Date: Thu, 27 Jun 2002 08:42:08 +0200
Dirk Koopman wrote:


a) how the attackers are able to "guess" correct (ie existing) rfc1918
addresses as, AFAIK, these are not being leaked thru the firewall. 

There are at least two possibilies that spring to mind :
- if you are using a web proxy for your protected network(s), the proxy may be adding an X-Forwarded-For field containing the rfc1918 address. Other protocols might provide the same kind of information as well.
- in some cases, the firewall may leak information about the protected network if there is some DNAT set up (and in particular, the recent advisory named "Linux Netfilter NAT/ICMP code information leak" by Philippe Biondi). 


b) how these packets are getting to me in the first place as they don't
seem to be source routed.
That's the real catch. I think a number ISPs don't filter rfc1918 addresses within their domains, letting BGP4 make sure they don't get routed outside instead. So, theoretically, a spoofed packet could make its way to a target not too far away (eg, within the same AS).
I don't know of any automated tools who would do that, but building one using antirez's hping, for instance, shouldn't be too hard. 

HTH,

  Daniel.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: