Security Incidents mailing list archives

RE: spoofed packets to RFC 1918 addresses

From: Shane Carroll <SCarroll () MeshNetworks com>
Date: Thu, 27 Jun 2002 13:16:58 -0400

Dirk,

        You are NATing.... Do you have any static NATs assigned to a
webserver for instance?  If someone were to plugin to your network and get a
DHCP address and type in http://www.yourserver.com they would recieve your
public address assigned to a static NAT.  Then you would ship off packets
with a source address from your private
network 10.x.x.x it would hit what ever device you are NATing with.  The
device would think it is being spoofed and drop the packet and log it....
I've seen this while using a Watchguard firewall.

To make a long story short it could be someone trying to get from you
internal network to your public website... but the router or firewall thinks
it is being spoofed... what ports are being sent from with the spoofed
addreses?

Regards--
Shane
-----Original Message-----
From: Kent Hundley [mailto:kent.hundley () prodigy net]
Sent: Thursday, June 27, 2002 1:54 PM
To: 'Dirk Koopman'; 'Incidents Mailing List'
Subject: RE: spoofed packets to RFC 1918 addresses


Dirk,

I'm not aware of such a tool, but there has been at least one bug in IIS
that allowed someone to obtain the actual address used by a server, so there
may be other ways to obtain this information not generally known.

However, if the packets have a destination address in the RFC1918 space, I
think you can conclude that they are in fact originating from the segment on
the outside of your firewall.  Unless something is seriously fubar'd on your
router _and_ your upstream ISP's router, there's no way short of source
routing to have packets with destination addresses in those ranges get to
your network from the Internet.

I would suspect either a misconfiguration of something on the outside of
your firewall or a compromise of something on the outside of your firewall.
Probably time to do some investigating of whatever devices you have on the
outside.  I'd also start looking at the source MAC of the packets and see
what ports on your switch are seeing that source MAC.

HTH,
Kent



-----Original Message-----
From: Dirk Koopman [mailto:djk () tobit co uk]
Sent: Wednesday, June 26, 2002 8:49 AM
To: Incidents Mailing List
Subject: spoofed packets to RFC 1918 addresses


There seems to be a "tool" about, which is somehow able to
detect valid rfc1918 addresses behind a NATed firewall and is spoofing
from addresses using random (usually non-existant) addresses from the
class C on the internet side of that firewall.

It isn't doing them any good as the packets are being dumped before they
get to the 'visible' class C (as I am making sure that packets from that
class C emanate only from the interface attached to that class C).

However, I am interested to know:

a) how the attackers are able to "guess" correct (ie existing) rfc1918
addresses as, AFAIK, these are not being leaked thru the firewall.

b) how these packets are getting to me in the first place as they don't
seem to be source routed.

c) which "tool" is doing this anyway.

Regards

Dirk Koopman
--
Please Note: Some Quantum Physics Theories Suggest That When the
Consumer Is Not Directly Observing This Product, It May Cease to
Exist or Will Exist Only in a Vague and Undetermined State.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
****************************************************************************
This e-mail is intended only for the addressee named above and may contain
confidential, proprietary or privileged information. If you are not the
named addressee or the person responsible for delivering the message to the
named addressee, please inform us promptly by reply e-mail, then delete the
e-mail and destroy any printed copy. The contents should not be disclosed to
anyone and no copies should be made. We take reasonable precautions to
ensure that our emails are virus free. However we accept no responsibility
for any virus transmitted by us and recommend that you subject any incoming
e-mail to your own virus checking procedures. 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

spoofed packets to RFC 1918 addresses Dirk Koopman (Jun 26)
- Re: spoofed packets to RFC 1918 addresses measl (Jun 27)
- RE: spoofed packets to RFC 1918 addresses Kent Hundley (Jun 27)
  - Re: spoofed packets to RFC 1918 addresses Barry Irwin (Jun 28)
- Re: spoofed packets to RFC 1918 addresses Daniel Polombo (Jun 27)
- Re: spoofed packets to RFC 1918 addresses jon schatz (Jun 27)
- Re: spoofed packets to RFC 1918 addresses Robert E. Lee (Jun 27)
- <Possible follow-ups>
- RE: spoofed packets to RFC 1918 addresses Shane Carroll (Jun 27)
- Fw: spoofed packets to RFC 1918 addresses HggdH (Jun 27)
- RE: spoofed packets to RFC 1918 addresses Sterling, Chuck (Jun 28)
- RE: spoofed packets to RFC 1918 addresses Keith T. Morgan (Jun 28)