Deny IP spoof from 255.255.255.255

From: Curt Wilson (netw3at_private)
Date: Thu Jul 05 2001 - 14:58:24 PDT

Next message: gabriel rosenkoetter: "Re: Why would someone DoS a free-lance writer?"

Previous message: Akatosh: "Re: Interesting group of scans"
Next in thread: Vitaly Osipov: "Re: Deny IP spoof from 255.255.255.255"
Reply: Vitaly Osipov: "Re: Deny IP spoof from 255.255.255.255"
Reply: Crist Clark: "Re: Deny IP spoof from 255.255.255.255"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Our PIX has detected an IP spoof from 
255.255.255.255 to one of our servers. Research 
here on securityfocus reveals that some attackers 
have used this technique with a destination port 515 
(LPR) and source 31337 (eleet) in scanning 
attempts. You can read about this at on the firewalls 
list at 
http://www.securityfocus.com/archive/19/187958

Our PIX does not indicate source or destination ports 
perhaps because the "IP spoof" criteria was already 
triggered in its logic chain, denying the packet and 
making a syslog entry.

We don't have an IDS outside the firewall so I don't 
have any more packet details which makes it very 
hard to do proper analysis.

The only other references I've seen to something of 
this nature can be found in Dragos Ruiu's 
paper "Cautionary Tales: Stealth Coordinated Attack 
HOWTO" at 
http://www.dursec.com/articles/stealthhowto.html 
when talking about DSLAM infrastructure issues 
states:  "In easy cases, the equipment rack will 
bridge broadcast traffic between the "marshmallow" 
and the target, allowing use of address resolution 
traffic such as ARP and DHCP to be used for system 
attacks and control. For stealth, these kinds of attack 
bases are excellent too, because the broadcast 
traffic is largely repetitive, very voluminous, and 
mostly uninteresting, which, combined with a great 
immaturity among the security tools for this kind of 
traffic, make it a ripe vulnerability area" 

This quote is of interest because the server in 
question uses DSL.

Another reference to traffic of this nature can be 
found in the excellent paper "A stateful inspection of 
Firewall-1" by Dug Song, Thomas Lopatic and  John 
McDonald at 
http://www.dataprotect.com/bh2000/blackhat-
fw1.html which states "Another possibility for evading 
IP spoofing protection is to use the all-hosts multicast 
address (224.0.0.1) as a mechanism for delivering 
packets to the underlying operating system of the 
firewall. For our demonstration, we used FWZ 
encapsulation to spoof a packet from the multicast 
address to our attack host, allowing us to respond 
with a packet sent to the multicast address, passed 
on to the firewall itself. This attack can also be 
performed with broadcast addresses."

I realize that both of these references don't refer 
directly to such a packet but I am curious about these 
techniques. 

Thank you,
Curt Wilson
Netw3


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: gabriel rosenkoetter: "Re: Why would someone DoS a free-lance writer?"
Previous message: Akatosh: "Re: Interesting group of scans"
Next in thread: Vitaly Osipov: "Re: Deny IP spoof from 255.255.255.255"
Reply: Vitaly Osipov: "Re: Deny IP spoof from 255.255.255.255"
Reply: Crist Clark: "Re: Deny IP spoof from 255.255.255.255"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 06 2001 - 07:57:45 PDT