OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [snort] Spoofed IP source detection
From: per.thorsheimno.pwcglobal.com
Date: Thu Mar 30 2000 - 07:52:56 CST

Fyodor <fygravescorpions.net> on 03/30/2000 01:13:16 PM
PT> 1. Can i filter away all these IP addresses in my border routers, since
PT> they are (probably) not being used (at the moment?). Or are some of

>you can and definetely should filter out 0.0.0.0 src/dst packets and
>loopback stuff, also dst of iternal ip blocks. Sometimes you get `legal'
>packets with iternal IP address in source field (f.e. when you hit some
>point-to-point link with traceroute which uses iternal IP addresses block)
>so packets sourced from iternal networks probably should be filtered out
>on your iternal interface(s). Multicast IP block should not be routed, but
>it should not be rejected usually either, because it's being used by
>neighboor routers for solicitation. Local broadcast should definetely be
>filtered out either and I have no idea of those IANA blocks.:)

Yep, i completely agree with you on 0.0.0.0, loopback etc..
Those listed in the SANS document should be seen as a minimum.

My hypothetical configuration is a SNORT box connected to a HUB,
which again is between a router connecting 'my' network to the Internet,
and a firewall. Nothing else. (webserver, mailserver etc. are all on one
or more DMZ's.)

In such a configuration i guess that you won't see much traffic originating
from, or going to most (if not all) of the listed IP blocks... :-)

PT> 3. Does anybody now if various scanning/attack tools which
PT> uses spoofed source IP addresses actually adheres to these
PT> reservations, so that they don't use them as source IP addresses?

>various DoS tools could be configured/used with these ranges among
>the others. As for scanning, I would use these ranges intentionally. After
>all the purpose of using decoy hosts is to make it hard to figure out what
>packets are comming from true origin and what packets are spoofed.

You would use those ranges intentionally... And that is exactly why i want to
filter them at my border routers, and/or configure SNORT to detect
traffic to/from such IP addresses, since they are not supposed to be there...

When i do penetration testing and i use spoofed source addresses, i tend
to use legitimate (ie existing) IP addresses as spoofed source addresses,
so that and IDS (or border router or whatever) won't trip on the 'strange'
IP source addresses.

I haven't checked, but if you download one of the available SYN flooders
(or similar), will they use;

1. Completely random source IP addresses (0.0.0.0 - 255.255.255.255)
or;
2. Random 'normal' source IP addresses (all but those listed in my
previous post)

My guess is number 1; meaning that loads of the IP packets will
have a source IP within the IP blocks from my previous post, which
again will (or should) be blocked by properly configured egress
filtering (outgoing DoS), and in the other end also be blocked/dropped/
trip off alarms because of the IP address being within one of the
many 'reserved' IP blocks.

- Per

----------------------------------------------------------------
      The information transmitted is intended only for the person or entity to
      which it is addressed and may contain confidential and/or privileged
      material. Any review, retransmission, dissemination or other use of, or
      taking of any action in reliance upon, this information by persons or
      entities other than the intended recipient is prohibited. If you
      received this in error, please contact the sender and delete the material
      from any computer.