Tracking spoofed IPs possible?

Tracking spoofed IPs possible?

Post by Walter Franci » Fri, 19 Nov 1999 04:00:00



I have been getting more and more spoofed IPs hitting my firewall
recently, and I'd like to be able to figure out where they are coming
from.  Is this possible?  

It seems that when I do a snoop for that specific IP nothing comes
through, so that tells me that the spoofing isn't fooling snoop, so
surely there are other clues in the headers.  Next time I find someone
portscanning me from a spoofed IP I'll have to shut down anything doing
network traffic and do tcpdump.

BTW, such IPs are like 10.10.12.225 and 172.31.0.125, I'm assuming both
are invalid.

BTW, what would happen if someone spoofed a 'localnet' IP, such as
192.168.0.x?  I have my other computer connected over a PPP link, it's
kinda scary to think if someone could just spoof that IP and get through
my firewall.

--
Walter Francis
http://wally.hplx.org                      Powered by RedHat 6.0

 
 
 

Tracking spoofed IPs possible?

Post by Wally Whacke » Fri, 19 Nov 1999 04:00:00



> I have been getting more and more spoofed IPs hitting my firewall
> recently, and I'd like to be able to figure out where they are coming
> from.  Is this possible?  

You have to sucker the person into actually completing a TCP
connection and THEN you'll have a valid address.

Quote:> BTW, what would happen if someone spoofed a 'localnet' IP, such as
> 192.168.0.x?  I have my other computer connected over a PPP link, it's
> kinda scary to think if someone could just spoof that IP and get through
> my firewall.

If your firewall has a rule that allows packets with source
192.168.*.* to pass then that is exactly what will happen. Their
packets will get through but they won't get any response since there
is no way to return a response. The only thing I know it's useful for
is a denial of service attack.

Wally

--
http://hackerwhacker.com, The NO WAIT Security Scan. Security sites
that have changed in the last 6 hours:
http://www.attrition.org/mirror/attrition/
http://www.wiretrip.net/rfp/1/index.asp http://zdnet.com

 
 
 

Tracking spoofed IPs possible?

Post by Peter Tod » Fri, 19 Nov 1999 04:00:00


Quote:> BTW, what would happen if someone spoofed a 'localnet' IP, such as
> 192.168.0.x?  I have my other computer connected over a PPP link, it's
> kinda scary to think if someone could just spoof that IP and get through
> my firewall.

You should block/allow packets by interface, not source or
destination address. It's easy to fake the address, impossible to
fake the interface.
 
 
 

Tracking spoofed IPs possible?

Post by Tim McCloske » Fri, 19 Nov 1999 04:00:00



Quote:> I have been getting more and more spoofed IPs hitting my firewall
> recently,

Is it not possible to prevent this using something
along the lines of:

####
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
  echo -n "spoof this......." # or something...
  for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
      echo 1 > $f
  done
  echo "the dishes are done...."
else
  echo "little blue guy alert...somethings broken"
  echo "hit ctrl-d to exit.... "
  echo
    /sbin/sulogin $CONSOLE
fi
####

This is suggested in the ipchains documentation (see
URL below) and seems to work fine but since I'm
not too well versed in this area, someone will likely
correct me if this is not correct.

Regards,

Tim

see: http://www.rustcorp.com/linux/ipchains/HOWTO-5.html#ss5.7

 
 
 

Tracking spoofed IPs possible?

Post by Kenneth Crud » Fri, 19 Nov 1999 04:00:00



Quote:>BTW, what would happen if someone spoofed a 'localnet' IP, such as
>192.168.0.x?  I have my other computer connected over a PPP link, it's
>kinda scary to think if someone could just spoof that IP and get through
>my firewall.

If you're running 2.2.12 or higher (probably a few iters lower, too), you
can do this, taken from my "ipchains" rc code:

--
        # turn on Source Address Verification and get
        # spoof protection on all current and future interfaces.

        rp_filter=0
        if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
            rp_filter=1
            echo -n "Setting up IP spoofing protection..."
            for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
                echo 2 > $f
            done
            echo "done."
        fi
--

        -Kenny

--
Kenneth R. Crudup   Sr. SW Engineer, Scott County Consulting, Washington, D.C.
Home1: 8051 Newell St. #914     Silver Spring, MD 20910-0914    (301) 562-1922
Home2: 38010 Village Cmn. #217  Fremont, CA 94536-7525          (510) 745-8181
Work:  19420 Homestead Road     Cupertino, CA 95014-0606        (408) 447-6654

 
 
 

Tracking spoofed IPs possible?

Post by Walter Franci » Sat, 20 Nov 1999 04:00:00



> If you're running 2.2.12 or higher (probably a few iters lower, too), you
> can do this, taken from my "ipchains" rc code:

> --
>         # turn on Source Address Verification and get
>         # spoof protection on all current and future interfaces.

Funny thing is, this *is* in my firewall script.  Although, mine echos 1
rather than 2.

Again, today I got some apparently spoofed IPs entering the box,
10.10.12.226 (ports 1881 and 1906) and 172.31.0.124 (ports 1433 and
1438) again.  I imagine they are probably from the same source as it
seems I get scans from them on a daily basis.

I need to look into one of the packages that track IPs, so I can keep
track of what each IP is attempting to do to my machine.  Any
suggestions?

--
Walter Francis
http://wally.hplx.org                      Powered by RedHat 6.0

 
 
 

Tracking spoofed IPs possible?

Post by Raphael Manki » Sat, 20 Nov 1999 04:00:00


: I have been getting more and more spoofed IPs hitting my firewall
: recently, and I'd like to be able to figure out where they are coming
: from.  Is this possible?  

: It seems that when I do a snoop for that specific IP nothing comes
: through, so that tells me that the spoofing isn't fooling snoop, so
: surely there are other clues in the headers.  Next time I find someone
: portscanning me from a spoofed IP I'll have to shut down anything doing
: network traffic and do tcpdump.

: BTW, such IPs are like 10.10.12.225 and 172.31.0.125, I'm assuming both
: are invalid.

10.x.x.x is a private range. You should have it blocked off, unless
youare using it itnernally. 172.16.x.x is also private. 172.31.x.x
is real.

In any case, as has already been pointed out, unless you accept
source routing, there is no way of sending a reply to a spoofed
address.

--
--
               Politics: The conduct of public affairs for private advantage
                        Ambrose Bierce
Raphael Mankin

----------------------------------

 
 
 

Tracking spoofed IPs possible?

Post by Theo v. Werkhov » Sun, 21 Nov 1999 04:00:00


The carbonbased lifeform Raphael Mankin inspired comp.os.linux.security with:


>: I have been getting more and more spoofed IPs hitting my firewall
>: recently, and I'd like to be able to figure out where they are coming
>: from.  Is this possible?  

>: It seems that when I do a snoop for that specific IP nothing comes
>: through, so that tells me that the spoofing isn't fooling snoop, so
>: surely there are other clues in the headers.  Next time I find someone
>: portscanning me from a spoofed IP I'll have to shut down anything doing
>: network traffic and do tcpdump.

>: BTW, such IPs are like 10.10.12.225 and 172.31.0.125, I'm assuming both
>: are invalid.

>10.x.x.x is a private range. You should have it blocked off, unless
>youare using it itnernally. 172.16.x.x is also private. 172.31.x.x
>is real.

I think not. The private Class-B range is 172.16.x.x/12 (172.16.x.x ..
172.240.x.x ), which makes 172.31.x.x private.

Theo
--
Theo van Werkhoven     PE1CCG      S.u.S.E Linux       Voorhout

"Two of the most famous products of Berkeley are LSD and BSD.
I don't think that this is a coincidence" --Anonymous

 
 
 

Tracking spoofed IPs possible?

Post by nosp.. » Tue, 23 Nov 1999 04:00:00


On 18 Nov 1999 04:02:50 -0800, Wally Whacker
-snip-

Quote:

>If your firewall has a rule that allows packets with source
>192.168.*.* to pass then that is exactly what will happen. Their
>packets will get through but they won't get any response since there
>is no way to return a response. The only thing I know it's useful for
>is a denial of service attack.

>Wally

Actually, it depends on how far into the network the routers
will recognize the address as valid. If your backbone provider
does not block private network blocks, and you have a
"neighbor" who is also permitting private block IP's through
their firewall or router,  it is certainly possible to open a
connection with private IP's between the two networks.

Steve Kinkaid

 
 
 

Tracking spoofed IPs possible?

Post by lora » Wed, 24 Nov 1999 04:00:00


: I have been getting more and more spoofed IPs hitting my firewall
: recently, and I'd like to be able to figure out where they are coming
: from.  Is this possible?  

: It seems that when I do a snoop for that specific IP nothing comes
: through, so that tells me that the spoofing isn't fooling snoop, so
: surely there are other clues in the headers.  Next time I find someone
: portscanning me from a spoofed IP I'll have to shut down anything doing
: network traffic and do tcpdump.

: BTW, such IPs are like 10.10.12.225 and 172.31.0.125, I'm assuming both
: are invalid.

: BTW, what would happen if someone spoofed a 'localnet' IP, such as
: 192.168.0.x?  I have my other computer connected over a PPP link, it's
: kinda scary to think if someone could just spoof that IP and get through
: my firewall.

: --
: Walter Francis
: http://wally.hplx.org                      Powered by RedHat 6.0

172.31.0.125 is not a spoofed IP, it actually contains the reverse lookups
for the invalid internet IP ranges (172.16, 10, 192.168)  You have something
trying to do a reverse lookup on your 192.168 and it is going external

 
 
 

Tracking spoofed IPs possible?

Post by Walter Franci » Wed, 24 Nov 1999 04:00:00



> 172.31.0.125 is not a spoofed IP, it actually contains the reverse lookups
> for the invalid internet IP ranges (172.16, 10, 192.168)  You have something
> trying to do a reverse lookup on your 192.168 and it is going external

erm, I've been on the net and using TCP/IP for some years, but I've
never gotten deep into the actual workings of it..  Could you explain
this to me in more detail?

Does this mean someone is looking for 192.168.x.x machines on my local
net, or that something on my local net is doing something funky?  I have
ppp0 connecting my Linux and Amiga boxes, and the only thing that should
be using the net on the Amiga is my rc5 client.

Thanks!

--
Walter Francis
http://wally.hplx.net                      Powered by RedHat 6.0

 
 
 

Tracking spoofed IPs possible?

Post by Wally Whacke » Wed, 24 Nov 1999 04:00:00



> On 18 Nov 1999 04:02:50 -0800, Wally Whacker

> -snip-

> >If your firewall has a rule that allows packets with source
> >192.168.*.* to pass then that is exactly what will happen. Their
> >packets will get through but they won't get any response since there
> >is no way to return a response. The only thing I know it's useful for
> >is a denial of service attack.

> >Wally

> Actually, it depends on how far into the network the routers
> will recognize the address as valid. If your backbone provider
> does not block private network blocks, and you have a
> "neighbor" who is also permitting private block IP's through
> their firewall or router,  it is certainly possible to open a
> connection with private IP's between the two networks.

> Steve Kinkaid

Good point.

Wally
--
http://hackerwhacker.com, The NO WAIT Security Scan. Security sites
that have changed in the last 6 hours:
http://www.attrition.org/mirror/attrition/
http://www.wiretrip.net/rfp/1/index.asp

 
 
 

1. IP-Spoofing / MAC-Adress Spoofing / arp requests

Hello All..

I've got today something very strange. I could determine where the trash
came from and why.
Our topoligy looks like localnet --- router --- "routernet" --- firewall
--- internet

The things I figured out were:
the packets below were not seen at the firewall or the routernet. but
when i plugged the internet uplink out the "scan" stopped.
I figured the MAC adress of the ip 13.10.15.10 out, but the MAC adress
was form a computer in the localnet with a "normal" non-routable DHCP
IP.. No strange programs were in progress there..

I've recognized the hole thing with a heavy traffic load on our network
equipment. With tcpdump i catched the packets. It looked for me like an
scan of our net. The scan began at 7.0.0.0 until 10.0.x.x and then the
hole thing stopped.

...
13:07:32.623597 eth0 M arp who-has 9.254.46.40 tell 13.10.15.10
13:07:32.623665 eth0 M arp who-has 9.254.46.41 tell 13.10.15.10
13:07:32.623734 eth0 M arp who-has 9.254.46.42 tell 13.10.15.10
13:07:32.623801 eth0 M arp who-has 9.254.46.43 tell 13.10.15.10
13:07:32.623869 eth0 M arp who-has 9.254.46.44 tell 13.10.15.10
13:07:32.623937 eth0 M arp who-has 9.254.46.45 tell 13.10.15.10
...

Our firewall didn't recognized anything, i've setted it up with very
restricted ipchains and doing logging with snort/logchecker. At active
attacks the source IP's were blocked for an amount of time.

With our old firewall we had a brake in with ip-spoofing, after that we
change to better hardware and other firewall-concepts.

Has anyone any idea what that was? Has anyone saw something like that?
Are there any information about MAC adress spoofing on the web?

thanks for your response,

greetings

michi

2. Stats comp.os.linux.misc (last 7 days)

3. Is it possible to spoof Apache enviroment variables?

4. txconn and X

5. IP Spoofing? Is it possible?

6. Anti-virus for unix?

7. Is it possible a IP spoofing?

8. installing procinfo 17 (termcap.h missing)

9. Possible to borrow IPs?

10. 2 IPs 2 Subnets 1 Nic Is It Possible?

11. Nishan IPS 3000 and IPS 4000 docs

12. Is it possible to track sendmail's progression?

13. ipconfig - multiple IPs - swapping IP effect on alias IPs?