Security Incidents mailing list archives

RE: Ip spoof from 0.0.0.0

From: Onsite West Houston <onsite () eforest net>
Date: Fri, 8 Nov 2002 18:24:33 -0600


        This is the first I heard of anybody maintaining a "bogus IP" list,
and on the surface it seems like it ought to be quite worthwhile. So I went
and checked out the site.

        Perhaps I'm missing something, but as I look at the site, what I see
are:

        (a) A list of most of the Class A addresses -- 75 of the 126
possible.
                It would seem easier to identify those Class A networks that
are live
                most of them likely to be large ISPs, and expressly permit
those
                networks, rather than try to block a list of 75 -- the list
of 51
                issued blocks can be consolidated into 13 CIDR table
entries. The
                aggregated list of blocked networks requires 23 CIDR
entries.

                Also, it would appear that this list does not include
NAT/firewalled
                networks, which /also/ should never originate any inbound
traffic.

        (b) No Class B addresses -- of course all of them have been issued,
but many
                of them are buried behind firewalls, and some of them were
never actually
                connected to the Internet -- issued before commercial access
was possible.

        (c) These few Class C blocks -- and except for the first one, are
probably short lived on the list
                as they're surely to be issued to somebody pretty quickly.

                192.0.2.0/24
                197.0.0.0/8
                198.18.0.0/15
                201.0.0.0/8

        The remainder of those listed are the IANA private networks.

        169.254.0.0/16
        172.16.0.0/12
        192.168.0.0/16

        and the loopback network

        127.0.0.0/8  -- which I'm not sure should ever be configured to be
ignored
                                as it would be somewhat difficult to ping
your own loopback.

        So.. with the list as short as it is ... I fear I'm missing the
point of publishing and maintaining the list. As I understand the purpose of
the list is to identify networks that traffic should /never/ originate from.
But from a security perspective, the list is definitely incomplete, as it
appears to not consider issued but never-to-be-connected blocks of
addresses, such as those behind NAT/firewalls or never connected at all. It
would seem those networks are the most likely to be source addresses used
for spoofing attacks, rather than those known to not be issued.

        Somebody please enlighten me if I've missed something significant.

        Thanks!
_________________________________________
Lawrence Garvin
Principal/CEO
Onsite West Houston
http://onsite.eforest.net
ICQ#: 38440195
_________________________________________



-----Original Message-----
From: Jason Robertson [mailto:jason () ifuture com]
Sent: Thursday, November 07, 2002 9:17 PM
To: Nexus; incidents () securityfocus com
Cc: incidents () securityfocus com
Subject: Re: Ip spoof from 0.0.0.0


For all of you who want the list of bogus IP's

http://www.cymru.com/Documents/bogon-list.html

As for 0.0.0.0, it is used for DHCP, but it shouldn't go beyond your 
gateway, or anyone elses.

Also the addressing is usually 0.0.0.0 -> 255.255.255.255 67 
At least on our network at work...

On 6 Nov 2002 at 23:53, Nexus wrote:

From:                   "Nexus" <nexus () patrol i-way co uk>
To:                     "Frank Cheong" <chocobofrank () hotmail com>,
        "Paul Gillingwater" <paul () lanifex com>
Copies to:              <incidents () securityfocus com>
Subject:                Re: Ip spoof from 0.0.0.0
Date sent:              Wed, 6 Nov 2002 23:53:10 -0000


----- Original Message -----
From: "Paul Gillingwater" <paul () lanifex com>
To: "Frank Cheong" <chocobofrank () hotmail com>
Cc: <incidents () securityfocus com>
Sent: Wednesday, November 06, 2002 7:08 PM
Subject: Re: Ip spoof from 0.0.0.0

[snip]

your router, not the remote attacker.  The best you could do is ask your
upstream ISP to filter outgoing traffic to drop IP packets with invalid
source addresses like 0.0.0.0.

[snip]

Good advice, also good luck ;-)
Try (tcp)tracerouting to RFC1918 addresses or IANA reserved netblocks
through ISP's - quite scary how far you get sometimes before somebody with
clue > 0 has been at the router configs and it gets dropped...

Cheers.

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



--
Jason Robertson                
Now at the Nation Research Council.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: Ip spoof from 0.0.0.0, (continued)
- RE: Ip spoof from 0.0.0.0 Omar Herrera (Nov 07)
- Re: Ip spoof from 0.0.0.0 Mike Maxwell (Nov 09)
- Re: Ip spoof from 0.0.0.0 Frank Cheong (Nov 06)
  - Re: Ip spoof from 0.0.0.0 Mike Lewinski (Nov 06)
  - Re: Ip spoof from 0.0.0.0 Paul Gillingwater (Nov 06)
    - Re: Ip spoof from 0.0.0.0 Nexus (Nov 07)
    - Re: Ip spoof from 0.0.0.0 batz (Nov 07)
    - Re: Ip spoof from 0.0.0.0 Jason Robertson (Nov 08)
- Re: Ip spoof from 0.0.0.0 David Gillett (Nov 08)
- Re: Ip spoof from 0.0.0.0 Hernan Otero (Nov 08)
- RE: Ip spoof from 0.0.0.0 Onsite West Houston (Nov 11)
- RE: Ip spoof from 0.0.0.0 Ingersoll, Jared (Nov 11)
- RE: Ip spoof from 0.0.0.0 Steenbergen, Dennis, Contractor (Nov 12)