Deny IP spoof from 255.255.255.255

From: Curt Wilson (netw3at_private)
Date: Thu Jul 05 2001 - 14:58:24 PDT

  • Next message: gabriel rosenkoetter: "Re: Why would someone DoS a free-lance writer?"

    Our PIX has detected an IP spoof from 
    255.255.255.255 to one of our servers. Research 
    here on securityfocus reveals that some attackers 
    have used this technique with a destination port 515 
    (LPR) and source 31337 (eleet) in scanning 
    attempts. You can read about this at on the firewalls 
    list at 
    http://www.securityfocus.com/archive/19/187958
    
    Our PIX does not indicate source or destination ports 
    perhaps because the "IP spoof" criteria was already 
    triggered in its logic chain, denying the packet and 
    making a syslog entry.
    
    We don't have an IDS outside the firewall so I don't 
    have any more packet details which makes it very 
    hard to do proper analysis.
    
    The only other references I've seen to something of 
    this nature can be found in Dragos Ruiu's 
    paper "Cautionary Tales: Stealth Coordinated Attack 
    HOWTO" at 
    http://www.dursec.com/articles/stealthhowto.html 
    when talking about DSLAM infrastructure issues 
    states:  "In easy cases, the equipment rack will 
    bridge broadcast traffic between the "marshmallow" 
    and the target, allowing use of address resolution 
    traffic such as ARP and DHCP to be used for system 
    attacks and control. For stealth, these kinds of attack 
    bases are excellent too, because the broadcast 
    traffic is largely repetitive, very voluminous, and 
    mostly uninteresting, which, combined with a great 
    immaturity among the security tools for this kind of 
    traffic, make it a ripe vulnerability area" 
    
    This quote is of interest because the server in 
    question uses DSL.
    
    Another reference to traffic of this nature can be 
    found in the excellent paper "A stateful inspection of 
    Firewall-1" by Dug Song, Thomas Lopatic and  John 
    McDonald at 
    http://www.dataprotect.com/bh2000/blackhat-
    fw1.html which states "Another possibility for evading 
    IP spoofing protection is to use the all-hosts multicast 
    address (224.0.0.1) as a mechanism for delivering 
    packets to the underlying operating system of the 
    firewall. For our demonstration, we used FWZ 
    encapsulation to spoof a packet from the multicast 
    address to our attack host, allowing us to respond 
    with a packet sent to the multicast address, passed 
    on to the firewall itself. This attack can also be 
    performed with broadcast addresses."
    
    I realize that both of these references don't refer 
    directly to such a packet but I am curious about these 
    techniques. 
    
    Thank you,
    Curt Wilson
    Netw3
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jul 06 2001 - 07:57:45 PDT