Hello! Let´s say i have a big LAN, with a few gateways and a firewall. As bigger your networks get´s the more you will be conflicted with pepole who want to "explore" your LAN. Thats why i was wondering how you can detect spoofing hosts. And why can spoofing be so dangerous, i couldn´t think of an good example. Thank you! Spiekey
Thats why i was wondering how you can detect spoofing hosts. Don't they show up in your logs? I know NT detects when another machine
I'm a Unix security newbie and missed the start of this thread. But I like what you say and am interested in any responses. tries to use the same IP - I guess Linux would too?
And why can spoofing be so dangerous, i couldn´t think of an good example. Many daemons rely on IP address authentication, look at tcpd, Apache even NFS and NIS.
If I can pretend to be your NIS master then I can gain access to your machine. If I pretend to be an NFS client I can view (and possible write to) NFS exports. -- Simon Oliver
From: spiekey [mailto:spiekey@hotmail.com] Sent: Tuesday, October 30, 2001 2:37 PM To: suse-security@suse.com Subject: [suse-security] how to detect spoofing hosts Hello! Let´s say i have a big LAN, with a few gateways and a firewall. As bigger your networks get´s the more you will be conflicted with pepole who want to "explore" your LAN. Thats why i was wondering how you can detect spoofing hosts. And why can spoofing be so dangerous, i couldn´t think of an good example. Thank you! Spiekey try using arpwatch. It will detect IP-Spoofing if the attacker is unable to spoof his MAC.
On Tue, 30 Oct 2001, Andreas Achtzehn wrote: hi,
From: spiekey [mailto:spiekey@hotmail.com] Sent: Tuesday, October 30, 2001 2:37 PM To: suse-security@suse.com Subject: [suse-security] how to detect spoofing hosts
Hello! Let´s say i have a big LAN, with a few gateways and a firewall. As bigger your networks get´s the more you will be conflicted with pepole who want to "explore" your LAN. Thats why i was wondering how you can detect spoofing hosts. And why can spoofing be so dangerous, i couldn´t think of an good example. Spoofing is dangerous because some services still rely on source-addresses for authentication. This is depreciated behaivior, however. Spoofing from external net into LAN maybe allows to bypass firewall-rules; dangerous too. Setting up the firewall to block traffic on external device which seem to come from internal addresses should be included in standard-configuartion. Linux kernel is capable of doing some 'consistency-checks' on his own if rp_filter in /proc is set. It uses the routing table to determine whether or not the packet could have arrived regulary on the specific device.
Thank you!
Spiekey
try using arpwatch. It will detect IP-Spoofing if the attacker is unable to spoof his MAC.
Well, arpwatch is just a reporting mechanism, and it sends mail to the sysop if it detected a ARP-poisoning attack, but its like telling the attacker himself that he succeeded. :-) [because arpwatch probably needs ARP-table entries:] Its probably better to enable port-security on your switches. Sebastian -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~
On Tue, 30 Oct 2001, spiekey wrote:
Hello! Let�s say i have a big LAN, with a few gateways and a firewall. As bigger your networks get�s the more you will be conflicted with pepole who want to "explore" your LAN. Thats why i was wondering how you can detect spoofing hosts. And why can spoofing be so dangerous, i couldn�t think of an good example.
Quick answer: you can detect spoofing hosts if they pretend to be an IP address that you run. You get logs on one machine saying it got a request from a particular IP address; but on the machine that has that IP address, it doesn't say the request was sent. Also, if a packet headed for another machine goes by the same ethernet segment that the machine whose IP address it's using is on, then the machine whose IP address the spoofer is pretending to have will log the event. Spoofing is dangerous because most networks allow extra priveleges to machines in some ranges of IP addresses (the "local network", or "network peers") or huge priveleges to particular machines (servers, controllers, etc). Spoofing is therefore a way for crackers to get the priveleges of those machines. Bear
Reserved class A's you should NEVER see traffic from (at least until they start getting desperate for IP's): 0.0.0.0/255.0.0.0 1.0.0.0/255.0.0.0 2.0.0.0/255.0.0.0 5.0.0.0/255.0.0.0 7.0.0.0/255.0.0.0 10.0.0.0/255.0.0.0 23.0.0.0/255.0.0.0 27.0.0.0/255.0.0.0 31.0.0.0/255.0.0.0 36.0.0.0/254.0.0.0 39.0.0.0/255.0.0.0 41.0.0.0/255.0.0.0 42.0.0.0/255.0.0.0 58.0.0.0/254.0.0.0 60.0.0.0/255.0.0.0 68.0.0.0/252.0.0.0 72.0.0.0/248.0.0.0 82.0.0.0/254.0.0.0 84.0.0.0/252.0.0.0 88.0.0.0/248.0.0.0 96.0.0.0/224.0.0.0 197.0.0.0/255.0.0.0 219.0.0.0/255.0.0.0 220.0.0.0/252.0.0.0 multicast (almost no-one uses this). 224.0.0.0/224.0.0.0 Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
From: Kurt Seifried [mailto:listuser@seifried.org]
Reserved class A's you should NEVER see traffic from (at least until they start getting desperate for IP's):
0.0.0.0/255.0.0.0 1.0.0.0/255.0.0.0 [...]
Where do you derive that information from? Right now some of the networks still belong to IANA (--> unused), but how can a system administrator be sure that the network won't be opened within the next few days? In worst case I'd deny access to my network for 254^3 IPs. Regards, Andreas
Yup, On 30-Oct-01 Andreas Achtzehn wrote:
From: Kurt Seifried [mailto:listuser@seifried.org]
Reserved class A's you should NEVER see traffic from (at least until they start getting desperate for IP's):
0.0.0.0/255.0.0.0 1.0.0.0/255.0.0.0 [...]
Where do you derive that information from? Right now some of the networks still belong to IANA (--> unused), but how can a system administrator be
sure that the network won't be opened within the next few days? In worst case I'd deny access to my network for 254^3 IPs.
updates concerning reserved IANA netblocks can be found on http://www.iana.org/assignments/ipv4-address-space . Take a look at it every month or so... All the address blocks marked as "IANA - Reserved" should be blocked on the FW; no legitimate traffic should come from there.
Regards, Andreas
Boris Lorenz <bolo@lupa.de> ---
Where do you derive that information from? Right now some of the networks still belong to IANA (--> unused), but how can a system administrator be sure that the network won't be opened within the next few days? In worst case I'd deny access to my network for 254^3 IPs. If you enable logging and use logcheck or something similar, you will notice connection attempts anyway. If you can traceroute them back and find it at the below given URL, open up the net. updates concerning reserved IANA netblocks can be found on http://www.iana.org/assignments/ipv4-address-space . Take a look at it every month or so...
Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
simple. I check packet filters once in a while. Typically the only class in that block showing activity is 10.*. Hmm. So yeah. Considering how many people hit some of my servers if there was ANYTHING on those netblocks I would have seen it in the last year or so. -Kurt
Yup, On 30-Oct-01 spiekey wrote:
Hello! Let�s say i have a big LAN, with a few gateways and a firewall. As bigger your networks get�s the more you will be conflicted with pepole who want to "explore" your LAN.
That's right. Spoofing also takes places from the inside to the outside world, so it's equally important to train your boarder routers/firewalls to drop any packet pretending to originate from an other network than the one you're in. A simple anti-spoofing technique would include a couple of filtering rules on the router which drop any packets coming in on the world-dev of the router, but pretending to originate from the internal LAN.
Thats why i was wondering how you can detect spoofing hosts. And why can spoofing be so dangerous, i couldn�t think of an good example.
If you suspect a TCP connection to be spoofed, one way of verifying it would be to measure/calculate the real TTL between you and the suspicious IP. The attacker normally sits on an other part of the internet, so it's likely that his/her spoofing alters the original TTL of the packets and thus might give you a clue that something is wrong. However, it's very important that this TTL measurement/calculation is done immediately, before any routes may change; as this is most likely, and even the most determined admin at least needs a couple of hours of nights' rest, the TTL method is not useable for forensics/post-mortem analysis of cracked hosts. You cold use tcpdump or snort together with a script to log the TTLs and do some measurements, but there's also a tool called despoof, written by Simple Nomad/Razor, which does just that. Get it from http://razor.bindview.com/tools/index.shtml . Furthermore, spoofing detection for internal LANs may be done by MAC address logging/examining; it's always suspicious if a certain IP first comes from MAC a, but ten minutes later from MAC b, and so on, specially if there's no DHCP.
And why can spoofing be so dangerous, i couldn�t think of an good example.
Spoofing, done correctly, is indeed very dangerous. For example, if you use a packet filter firewall (ipchains) and some faulty tcp DNS rules (e. g. for zone transfers) where a certain IP of a nameserver (say from your provider) has unlimited access to your system (I have many examples of this in my book), an attacker could abuse this trust-relationship to impersonate the host you trust in, which would render any firewall and IDS useless. Imagine four hosts on the internet, A, B, C and D. A would be the target, B the host the target trusts in, C an unreachable host, and D would be the attacker. Now, the attacker has to make sure that the trusted host (B) is not reachable by the target (A) anymore. For this, (s)he could use some sort of SYN flooding to make sure the real trusted host B does not tap into the spoofed communication between the attacker and the target. As a return-address, the attacker uses the one of host C (an unreachable host, prolly a ntp server or any other existing IP which does not respond, e. g. to icmp packets). B now desperately tries to contact C, but since C does not respond (and B has a lot of half-assed SYNs in its backlog), B's requests take their time while the attack continues... After D (the attacker) has successfully SYN flooded B (the trusted host), D connects to A (e. g. on the smtp port (25)) and writes down the initial sequence number (ISN) of the packets coming back from A. Every packet has its own sequence number, which is the core of the connection-oriented TCP protocol, as TCP guarantees that any packet will reach its destination, and will not arrive twice. The trick of the spoofing attack is to find out the current/next TCP sequence number of the packets destined for host A. Which can difficult, since A might server other clients in the meantime, which again alters the sequence numbers. Now D sends packets to certain ports (with "certain" requests...) to A, with the IP of B (the trusted host). If the sequence number of the packet A has sent was right and B is still unable to answer due to the aforementioned SYN flood, A would believe that D really is B, and would proceed with the normal three-way handshake... [...] voila, another one bites the dust... This (simplified) example of IP spoofing shows that it's highly dangerous to set up a trust relationship between hosts on the internet, if the only means of authorization between these hosts would be their IP address (rlogin, rsh, any "r" command, but also (improperly configured) sshd...etc...). A little bit of trust relationship may lead to a complete compromise of a host, even if this particular host has been put behind a firewall or generally is rated as "safe".
Thank you!
Spiekey
Boris Lorenz <bolo@lupa.de> ---
* Boris Lorenz; <bolo@lupa.de> on 30 Oct, 2001 wrote:
transfers) where a certain IP of a nameserver (say from your provider) has unlimited access to your system (I have many examples of this in my book), an ^^^^^^^^^^^^^^^^ and the name of the book is ..................
-- Togan Muftuoglu
Heya, On 30-Oct-01 Togan Muftuoglu wrote:
* Boris Lorenz; <bolo@lupa.de> on 30 Oct, 2001 wrote:
transfers) where a certain IP of a nameserver (say from your provider) has unlimited access to your system (I have many examples of this in my book), an ^^^^^^^^^^^^^^^^ and the name of the book is ..................
Sorry Togan, I think you misunderstood that. My sentence "I have many examples of this in my book" means that, according to my experience, I have seen many firewall installation with buggy DNS rules. Anyway, thanks for your interest! ;) Currently I'm about to assemble a security website (yet another one), with all the stuff I've seen/discovered/experienced, and a load of carefully chosen documents which are hard to find, an extensive bibliography, and more... Hide your faces, SecurityFocus, here comes Bolo! ;))) I will post the URL as soon as it's finished (which will take some more time I guess...). Regards, Boris <bolo@lupa.de> (who is hungry'n'sleepy and wants to go home now, but can't :) ---
Hi there, * Boris Lorenz; <bolo@lupa.de> on 30 Oct, 2001 wrote:
Sorry Togan, I think you misunderstood that. My sentence "I have many examples of this in my book" means that, according to my experience, I have seen many firewall installation with buggy DNS rules.
I am becoming bugs bunny or maybe the new word I learned the day before "fachidiot" the best word I heard so far. :-)
Anyway, thanks for your interest! ;)
I will post the URL as soon as it's finished (which will take some more time I guess...).
Looking forward for more carrots :-) Bye -- Togan Muftuoglu
participants (9)
-
Andreas Achtzehn -
Boris Lorenz -
Kurt Seifried -
Markus Gaugusch -
Ray Dillinger -
Sebastian Krahmer -
Simon Oliver -
spiekey -
Togan Muftuoglu