Forwarded message: >From firewalls-owner@GreatCircle.COM Thu Aug 24 17:36:29 1995 Date: Wed, 23 Aug 1995 18:00:08 +0200 Message-Id: <199508231600.SAA04320@utopia.hacktic.nl> Subject: Re: IP Spoofing To: Firewalls@GreatCircle.COM From: nobody@REPLAY.COM (Anonymous) Organization: RePLaY aND CoMPaNY UnLimited XComm: Replay may or may not approve of the content of this posting XComm: Report misuse of this automated service to Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Subject: IP spoofing ? > Forgive my total lack of understanding of any of the lower level IP > stuff, but I was wondering about the threat caused by IP spoofing. It > seems to me that if a server only allowed local clients to access it, > and if there was a gateway to the rest of the world, that IP spoofing > wouldn't help the potential hacker much because the IP packets wouldn't > ever make it out of the local network. Correct- they won't make it out of the local network. > (I would think that they'd be routed to the local network rather than > through the gateway.) (Needless to say that meens that our local network > is trusted and I don't expect any of our local machines to need to spoof > any others.) The danger is that the packets don't have to leave the network to be useful in hacking. Think of this-- NORMAL: - System A tries to open a connection to system B. System B accepts the connection (or not) and sends back a response- the connection gets established and they talk all normal-like and stuff. - Requires trust between A and B. SOURCE-ROUTE: - System A wants to 'fake' one of your systems addresses to talk w/ system B (the address to be 'faked' is assumed trusted to B). The exact same thing happens as above except the first-hop gateway from system A has been set up to route YOUR netmask to system A and system A has been set up w/ the trusted address on your net. The other diff is that system A is 'source routing' (LSR if distant) to your net w/ the first-hop's address in the route, so when system B answers its buddy the trusted system, the packets are actually going to system A's first-hop and getting routed to system A. Complex, ugly. The fix is to disallow source-routing o'course. - Requires control of first-hop routing from A and that system B's net allows source-routing. SPOOF (DNS spoofing) - System A finds r* programs on system B and modifies the reverse DNS entries for system A to look like a system that B trusts. System A connects to system B, B looks up the DNS entry and gets back a host that B trusts. Easy, ugly. Fix is tcp-wrappers or replace r*'s. - Requires control of reverse DNS tables w/ system A's address and the default/stupid r* command daemons on system B. SPOOF (DNS spoofing w/ cache poison) - As above but system A 'volunteers' an IP address in an MX record to system B's DNS cache so that if tcp-wrappers are running the second lookup and compare w/ also succeed. Harder, ugly. The fix is to stop allowing r* services. - Requires control of DNS tables w/ system A's address and that system B be using r* daemons (various other related attacks are possible) SPOOF (IP level 'blind' spoofing): - System A shuts down the trusted host on your network via quirks in the implementations of TCP/IP (or waits for it to go down or whatever). System A sends a non-source-routed connect packet to system B using the trusted hosts's network address, just like the trusted host would have done if it were initiating a connection. System B sends out the response to it's buddy and it stays on the local subnet (why would it have any desire to leave ?). System A never gets the response, but the seq# guessing code doesn't care, it just guesses the next seq# in the chain of packets that system B would expect and pretends it has an open connection (which to system B it does, but system A has no way of really knowing that- thus, it (system A) is acting 'blind'). The point of the exercise is to send system B something that gives system A some kind of access/feedback. The fix, don't allow external packets into your network that have internal addresses. Easy, ugly. - Requires system B's net to allow external packets w/ internal addresses. > I attempted to ask this question of a local consultant who gave me "I > won't tell, 'cause then you'll hack into people's computers" B.S. I > would hope that people would try to understand what a consultant was > proposing to solve their computer problems, especially when you're > considering security. (i.e: my consultant is not "trusted") Find a new consultant- you're paying him/her for expertise not BS. > P.S. Are there any GREAT books out there on internet security issues > that anyone would recommend? Thought about it, never had the time to write one. > Thanks for the help, > - shawn > > Shawn Steele > Information Systems Administrator > Association of Brewers (303) 447-0816 x 118 (voice) > 736 Pearl Street (303) 447-2825 (fax) > PO Box 1679 shawn@aob.org (e-mail) > Boulder, CO 80306-1679 info@aob.org (aob info) > U.S.A. http://www.aob.org/aob (web) > > Note: When replying to my messages, please include enough of my > message so that I know what you're replying to! :-) A followup message said: > Forgive my total lack of understanding of any of the lower level IP > stuff, but I was wondering about the threat caused by IP spoofing. It > seems to me that if a server only allowed local clients to access it, > and if there was a gateway to the rest of the world, that IP spoofing > wouldn't help the potential hacker much because the IP packets wouldn't > ever make it out of the local network. (I would think that they'd be > > The thing about IP spoofing is that it overrides the > routing tables in your routers. You specify the path > the packets will take in the little used options field > in the IP header. There are other TCP/IP attacks where > you can hijack a connection between one machine that > trusts another but this is much more difficult. > > Lyndon See above, that's a source-routing attack. Using RIP or another routing protocol to modify the behavior of a between-hop router has the same or similar effect if done properly. If the only tool you have is a hammer, every problem looks like a nail. Anon. -- +----------------------------------+-----------------------------------------+ | Julian Assange | "if you think the United States has | | | has stood still, who built the largest | | proff@suburbia.net | shopping centre in the world?" - Nixon | +----------------------------------+-----------------------------------------+