Here are a number of speculative situations where spoofing packets from 0.0.0.0 would be useful to an attacker: - Finding hosts on a local subnet with a different default route via another interface, like a vpn. (the machines that don't respond are either filtering the port, or sending the response out the other interface) - Finding really old machines that respond to this as a broadcast. - Making the machines send acks or icmp port unreachable messages to their routers. (send a syn, get an icmp msg in reply, kind of a DoS, albeit sort of a limited one) - A passive spoofed portscan with the attacker on the local segment watching the response packets go out to the default router. - I also wonder if these packets get routed by routing gear, and if not, do they send icmp packets back, and if so where do they send them? Here is some handwavy speculation, but it might be kinda cool. If a host responds to the syn packet sourced from 0.0.0.0 with an ack, it goes to the router either with the destination IP address rewritten with the default route addr of the host, or preserved as 0.0.0.0. The router could either forward it until it hits something without a default route or its ttl expires, or send back an unreachable message to the host, which would indicate to a listening attacker whether default routing was in use, or if traffic was taking a different path down the road. That's interesting. I bet you could use this detect if traffic from a local host was taking a different route to the Internet. That's pretty handy if you want to see if your traffic is getting re-routed or worse, re-directed through a tunnel. What happens is that while you are on a host on the subnet, you spoof a SYN from 0.0.0.0 to an adjacent host (a.a.a.a). a.a.a.a responds with an ack to 0.0.0.0, which is its default router, but with a legitimate source. If the router forwards it as 0.0.0.0, any router that drops it will send an unreachable icmp back to a.a.a.a. You watch that icmp message go by and decide whether it came from a legitimate router. However, lets say traffic from that host is getting re-routed: If the device handling the redirected traffic recieves the ack from a.a.a.a, it should either drop the packet and send an icmp unreachable, or send an RST if it has services open on it. It's all a very round-about way of doing things, but at least there are some reasons why one could imagine these packets as being hostile. Cheers, On Wed, 6 Nov 2002, Nexus wrote: :Date: Wed, 6 Nov 2002 23:53:10 -0000 :From: Nexus <nexusat_private-way.co.uk> :To: Frank Cheong <chocobofrankat_private>, : Paul Gillingwater <paulat_private> :Cc: incidentsat_private :Subject: Re: Ip spoof from 0.0.0.0 : : :----- Original Message ----- :From: "Paul Gillingwater" <paulat_private> :To: "Frank Cheong" <chocobofrankat_private> :Cc: <incidentsat_private> :Sent: Wednesday, November 06, 2002 7:08 PM :Subject: Re: Ip spoof from 0.0.0.0 : :[snip] :> your router, not the remote attacker. The best you could do is ask your :> upstream ISP to filter outgoing traffic to drop IP packets with invalid :> source addresses like 0.0.0.0. :[snip] : :Good advice, also good luck ;-) :Try (tcp)tracerouting to RFC1918 addresses or IANA reserved netblocks :through ISP's - quite scary how far you get sometimes before somebody with :clue > 0 has been at the router configs and it gets dropped... : :Cheers. : : :---------------------------------------------------------------------------- :This list is provided by the SecurityFocus ARIS analyzer service. :For more information on this free incident handling, management :and tracking system please see: http://aris.securityfocus.com : -- batz ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Nov 07 2002 - 18:58:06 PST