Re: Destination address spoofing?
From: Pumpkinhead (XXXpeter_matulis@hotmail.comXXX)Date: 05/18/02
- Next message: Brian: "Re: Any secure wireless AP for home DSL?"
- Previous message: Chris: "Re: Zone Alarm: how to block "referrer"?"
- In reply to: Eirik Seim: "Re: Destination address spoofing?"
- Next in thread: Eirik Seim: "Re: Destination address spoofing?"
- Reply: Eirik Seim: "Re: Destination address spoofing?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: XXXpeter_matulis@hotmail.comXXX (Pumpkinhead) Date: Sat, 18 May 2002 04:05:38 GMT
>There is really nothing that makes the non-routeable addresses non-routeable,
>other than that they are reserved by IANA for private internets.
My understanding is that there is no (ISP) router connected to the
internet that will accept such packets and send them to the next hop.
So having a packet with the destination field forged as one of these
addresses will always fail (assuming my perimeter firewall allows it
to leave in the first place).
>The problem is that it seems most ISPs consider this kind of filtering the customers
>problem, and most customers dont know what an IP address is. All filtering
>costs time and cpu power, something many ISPs dont want to spend.
Yes, I understand this.
>This is, as the url I provided tried to explain, a question of dropping
>traffic known to be unwanted, mainly in order to limit the use of these
>addresses in DoS and DDoS attacks. The problem with these addresses and such
>attacks is that they are frequently used as _source_ address. If someone
>gained control of a computer in your network and attempted such an attack
>on another computer, through your internet connection, he would have little
>success if your border router dropped these packets. When forced to use
>a real internet address as source, locating and shutting down DDoS agents
>gets _much_ easier.
Here we go again. Back to source address spoofing. I understand this
too. Thank you for your effort but this is not the subject of my
post.
>Where did you get the term 'destination address spoofing' from? It makes
>no sense to me. What kind of situations does it apply to? I might be missing
>your point completely (again?).
Exaclty my point. It makes no sense to me either. That's why I'm
asking about it. I have read several docs that say that a network
should not let escape packets unto the internet that have as
*destination addresses* any of those in the private blocks.
One such doc is the IP Filter how-to. Notice how it employs the term
spoof when dealing with the egress filtering of those very same
private blocks:
=============================================
You can also make similar rules for the unroutable addresses. If some
machine tries to route a packet through IPF with a destination in
192.168.0.0/16, why not drop it? The worst that can happen is that
you'll spare yourself some bandwidth:
block out quick on tun0 from any to 192.168.0.0/16
block out quick on tun0 from any to 172.16.0.0/12
block out quick on tun0 from any to 10.0.0.0/8
block out quick on tun0 from any to 0.0.0.0/8
block out quick on tun0 from any to 127.0.0.0/8
block out quick on tun0 from any to 169.254.0.0/16
block out quick on tun0 from any to 192.0.2.0/24
block out quick on tun0 from any to 204.152.64.0/23
block out quick on tun0 from any to 224.0.0.0/3
block out quick on tun0 from !20.20.20.0/24 to any
In the narrowest viewpoint, this doesn't enhance your security. It
enhances everybody else's security, and that's a nice thing to do. As
another viewpoint, one might suppose that because nobody can send
spoofed packets from your site, that your site has less value as a
relay for crackers, and as such is less of a target.
=============================================
The actual text can be found here:
http://www.obfuscation.org/ipf/ipf-howto.html#TOC_12
Peter
- Next message: Brian: "Re: Any secure wireless AP for home DSL?"
- Previous message: Chris: "Re: Zone Alarm: how to block "referrer"?"
- In reply to: Eirik Seim: "Re: Destination address spoofing?"
- Next in thread: Eirik Seim: "Re: Destination address spoofing?"
- Reply: Eirik Seim: "Re: Destination address spoofing?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
