nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ISP port blocking practice

From: William Herrin <bill () herrin us>
Date: Thu, 2 Sep 2010 18:45:47 -0400
On Thu, Sep 2, 2010 at 5:59 PM, Zhiyun Qian <zhiyunq () umich edu> wrote:

http://www.eecs.umich.edu/~zhiyunq/pub/oakland10_triangular-spamming.pdf

One of the high-level findings is that we developed probing techniques
to verify that indeed most ISPs are only blocking 1) "outgoing traffic
of destination port 25" instead of 2) "incoming traffic with source
port 25", which means that these ISPs are vulnerable to the
assymetric routing attack.


If I understand your idea correctly:

1. GoodNet filters TCP destination port 25 packets from his customer
PwndBox, preventing PwndBox from spamming.

2. BadGuy on BadNet sends a forged TCP SYN packet to SpamVictim
allegedly from PwndBox on GoodNet.

3. PwndBox receives the response packets from SpamVictim and tunnels
them to BadGuy allowing BadGuy to complete the spam.

4. GoodNet didn't stop it because PwndBox never sent any packets to TCP port 25.

5. Since the IP address used was GoodNet's, GoodNet's reputation is damaged.

6. GoodNet could prevent this attack vector by also blocking packets
with TCP source port 25 sent -to- PwndBox.

Is that correct?

I observe that if PwndBox is behind a stateful firewall such as a COTS
NAT box, that also prevents this attack.

Regards,
Bill Herrin



-- 
William D. Herrin ................ herrin () dirtside comĀ  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
Previous By Date Next
Previous By Thread Next

Current thread: