OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [snort] Spoofed IP source detection
From: Fyodor (fygravescorpions.net)
Date: Thu Mar 30 2000 - 06:13:16 CST

>
> 1. Can i filter away all these IP addresses in my border routers, since
> they are (probably) not being used (at the moment?). Or are some of

you can and definetely should filter out 0.0.0.0 src/dst packets and
loopback stuff, also dst of iternal ip blocks. Sometimes you get `legal'
packets with iternal IP address in source field (f.e. when you hit some
point-to-point link with traceroute which uses iternal IP addresses block)
so packets sourced from iternal networks probably should be filtered out
on your iternal interface(s). Multicast IP block should not be routed, but
it should not be rejected usually either, because it's being used by
neighboor routers for solicitation. Local broadcast should definetely be
filtered out either and I have no idea of those IANA blocks.:)

>
> 3. Does anybody now if various scanning/attack tools which
> uses spoofed source IP addresses actually adheres to these
> reservations, so that they don't use them as source IP addresses?

various DoS tools could be configured/used with these ranges among
the others. As for scanning, I would use these ranges intentionally. After
all the purpose of using decoy hosts is to make it hard to figure out what
packets are comming from true origin and what packets are spoofed.