Re: spoofed packets to RFC 1918 addresses

From: Daniel Polombo (polombo@cartel-securite.fr)
Date: 06/27/02

• Previous message: Cliff Albert: "Re: Someone looking for CodeRed infected boxes ?"
• In reply to: Dirk Koopman: "spoofed packets to RFC 1918 addresses"
• Next in thread: jon schatz: "Re: spoofed packets to RFC 1918 addresses"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 27 Jun 2002 08:42:08 +0200
From: Daniel Polombo <polombo@cartel-securite.fr>
To: Dirk Koopman <djk@tobit.co.uk>

Dirk Koopman wrote:

> a) how the attackers are able to "guess" correct (ie existing) rfc1918
> addresses as, AFAIK, these are not being leaked thru the firewall.

There are at least two possibilies that spring to mind :

- if you are using a web proxy for your protected network(s), the proxy
may be adding an X-Forwarded-For field containing the rfc1918 address.
Other protocols might provide the same kind of information as well.

- in some cases, the firewall may leak information about the protected
network if there is some DNAT set up (and in particular, the recent
advisory named "Linux Netfilter NAT/ICMP code information leak" by
Philippe Biondi).

> b) how these packets are getting to me in the first place as they don't
> seem to be source routed.

That's the real catch. I think a number ISPs don't filter rfc1918
addresses within their domains, letting BGP4 make sure they don't get
routed outside instead. So, theoretically, a spoofed packet could make
its way to a target not too far away (eg, within the same AS).

I don't know of any automated tools who would do that, but building one
using antirez's hping, for instance, shouldn't be too hard.

HTH,

   Daniel.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Cliff Albert: "Re: Someone looking for CodeRed infected boxes ?"
• In reply to: Dirk Koopman: "spoofed packets to RFC 1918 addresses"
• Next in thread: jon schatz: "Re: spoofed packets to RFC 1918 addresses"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Excluding internal IPs from being proxied ... This log entry says that since I do not have firewall policy that allows web ... the request is denied. ... *correctly* treats the request as being destined to the internal network, ... The point is the request should *never* be processed by web proxy ... (microsoft.public.isa) Re: VT: Michelle Gardner-Quinn body found ... large scratch across his neck; ... I would try an web proxy to open the site or even opening with another ... I do have a firewall I have to disable on ... and the NYTimes cw puzzle was free and in adobe acrobat. ... (alt.true-crime) Re: Undo the Allow VP Client Connections Wizard ... Also the firewall and web proxy services were consuming double digit ... Everything started working again and processor time was back ... or started prior to running the "Allow VPN Client Connections Wizard". ... (microsoft.public.isa) Re: SSL-Tunnel blocked? ... My guess is that something is being attempted that the Web Proxy Service ... My suggestion is to install the Firewall Client on the Workstation. ... the net into Powerpoint, ISA blocks the request, the output is shown ... I am guessing that since ISA cannot look at the traffic inside ... (microsoft.public.isa) Re: logging question (isa format) ... If your Access Rule contains a "Client Address Set", ... Access Rules for Web Proxy and Firewall Client do not use Client Address ... (microsoft.public.isa)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2002-06