OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: [snort] Spoofed IP source detection
From: per.thorsheimno.pwcglobal.com
Date: Thu Mar 30 2000 - 03:01:42 CST

Hello everybody.

Although most people prefer to do ingress(1) and egress(2) filtering
on their routers in order to filter incoming and outgoing traffic, i'm
interested in putting together a complete list of rules for detecting
private and 'suspicous' source IP addresses.

In the SANS document "Help Defeat Denial of Service Attacks:
Step-by-Step" (3), they list the following networks:

0.0.0.0/8 - Historical Broadcast
10.0.0.0/8 - RFC 1918 Private Network
127.0.0.0/8 - Loopback
169.254.0.0/16 - Link Local Networks
172.16.0.0/12 - RFC 1918 Private Network
192.0.2.0/24 - TEST-NET
192.168.0.0/16 - RFC 1918 Private Network
224.0.0.0/4 - Class D Multicast
240.0.0.0/5 - Class E Reserved
248.0.0.0/5 - Unallocated
255.255.255.255/32 - Broadcast

However; the IANA IPv4 address space list (4) lists these
networks in addition to those above as 'special' IP blocks;

1.0.0.0/8 - IANA reserved
2.0.0.0/8 - IANA reserved
5.0.0.0/8 - IANA reserved
7.0.0.0/8 - IANA reserved
14.0.0.0/8 - IANA - Public data network (?)
23.0.0.0/8 - IANA reserved
24.0.0.0/8 - IANA cable block
27.0.0.0/8 - IANA reserved
31.0.0.0/8 - IANA reserved
37.0.0.0/8 - IANA reserved
39.0.0.0/8 - IANA reserved
41.0.0.0/8 - IANA reserved
42.0.0.0/8 - IANA reserved
58.0.0.0/8 - IANA reserved
59.0.0.0/8 - IANA reserved
60.0.0.0/8 - IANA reserved
65-95.0.0.0/8 - IANA reserved
96-126.0.0.0/8 - IANA reserved
197.0.0.0/8 - IANA reserved
217.0.0.0/8 - IANA reserved
218-223.0.0.0/8 - IANA reserved
240-255.0.0.0/8 - IANA reserved

Now for some questions (which relate to ingress/egress filtering,
as well as the SNORT rules i'm interested in setting up...)

1. Can i filter away all these IP addresses in my border routers, since
they are (probably) not being used (at the moment?). Or are some of
these legitimately in use on the Internet today?

2. How can we easily create SNORT rules that will detect
TCP/UDP/ICMP packets with a source address within any of these
address blocks? If we have to create rules of type:

alert tcp 1.0.0.0/8 any -> $home_net
alert udp 1.0.0.0/8 any -> $home_net
alert icmp 1.0.0.0/8 any -> $home_net
....
etc for every netblock listed above, it will be lots of rules..

I'm looking for the best way to create as few, but efficient SNORT
rules as possible....

3. Does anybody now if various scanning/attack tools which
uses spoofed source IP addresses actually adheres to these
reservations, so that they don't use them as source IP addresses?

My point here is that i don't care what protocol or destination
a packet has; as long as it originates from a 'reserved' IP address,
it should be seen as suspicious or obviously illegal activity.
(depending on the location of your SNORT box of course).

Any opinions or answers?

- Per

(1) RFC 2267 - Network Ingress Filtering - Defeating Denial of...
P. Ferguson, D. Senie
ftp://ftp.isi.edu/in-notes/rfc2267.txt

(2) Egress filtering, C. Brenton
http://www.sans.org/y2k/egress.htm

(3) Help Defeat Denial of Service Attacks: Step-by-Step
http://www.sans.org/dosstep/index.htm

(4) Internet Protocol Address Space, IANA
http://www.isi.edu/in-notes/iana/assignments/ipv4-address-space
(See also RFC 2050, which obsoletes RFC 1466)
----------------------------------------------------------------
The information transmitted is intended only for the person or entity to which
it is addressed and may contain confidential and/or privileged material. Any
review, retransmission, dissemination or other use of, or taking of any action
in reliance upon, this information by persons or entities other than the
intended recipient is prohibited. If you received this in error, please
contact the sender and delete the material from any computer.