Like I was saying. Check out Michael Martin's article for source route filtering http://searchnetworking.techtarget.com/tip/1,289483,sid7_gci851604,00.html -----Original Message----- From: Onsite West Houston [mailto:onsiteat_private] Sent: Saturday, November 09, 2002 1:25 AM To: incidentsat_private; security-basics Cc: 'Jason Robertson' Subject: RE: Ip spoof from 0.0.0.0 This is the first I heard of anybody maintaining a "bogus IP" list, and on the surface it seems like it ought to be quite worthwhile. So I went and checked out the site. Perhaps I'm missing something, but as I look at the site, what I see are: (a) A list of most of the Class A addresses -- 75 of the 126 possible. It would seem easier to identify those Class A networks that are live most of them likely to be large ISPs, and expressly permit those networks, rather than try to block a list of 75 -- the list of 51 issued blocks can be consolidated into 13 CIDR table entries. The aggregated list of blocked networks requires 23 CIDR entries. Also, it would appear that this list does not include NAT/firewalled networks, which /also/ should never originate any inbound traffic. (b) No Class B addresses -- of course all of them have been issued, but many of them are buried behind firewalls, and some of them were never actually connected to the Internet -- issued before commercial access was possible. (c) These few Class C blocks -- and except for the first one, are probably short lived on the list as they're surely to be issued to somebody pretty quickly. 192.0.2.0/24 197.0.0.0/8 198.18.0.0/15 201.0.0.0/8 The remainder of those listed are the IANA private networks. 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 and the loopback network 127.0.0.0/8 -- which I'm not sure should ever be configured to be ignored as it would be somewhat difficult to ping your own loopback. So.. with the list as short as it is ... I fear I'm missing the point of publishing and maintaining the list. As I understand the purpose of the list is to identify networks that traffic should /never/ originate from. But from a security perspective, the list is definitely incomplete, as it appears to not consider issued but never-to-be-connected blocks of addresses, such as those behind NAT/firewalls or never connected at all. It would seem those networks are the most likely to be source addresses used for spoofing attacks, rather than those known to not be issued. Somebody please enlighten me if I've missed something significant. Thanks! _________________________________________ Lawrence Garvin Principal/CEO Onsite West Houston http://onsite.eforest.net ICQ#: 38440195 _________________________________________ -----Original Message----- From: Jason Robertson [mailto:jasonat_private] Sent: Thursday, November 07, 2002 9:17 PM To: Nexus; incidentsat_private Cc: incidentsat_private Subject: Re: Ip spoof from 0.0.0.0 For all of you who want the list of bogus IP's http://www.cymru.com/Documents/bogon-list.html As for 0.0.0.0, it is used for DHCP, but it shouldn't go beyond your gateway, or anyone elses. Also the addressing is usually 0.0.0.0 -> 255.255.255.255 67 At least on our network at work... On 6 Nov 2002 at 23:53, Nexus wrote: From: "Nexus" <nexusat_private-way.co.uk> To: "Frank Cheong" <chocobofrankat_private>, "Paul Gillingwater" <paulat_private> Copies to: <incidentsat_private> Subject: Re: Ip spoof from 0.0.0.0 Date sent: Wed, 6 Nov 2002 23:53:10 -0000 > > ----- Original Message ----- > From: "Paul Gillingwater" <paulat_private> > To: "Frank Cheong" <chocobofrankat_private> > Cc: <incidentsat_private> > Sent: Wednesday, November 06, 2002 7:08 PM > Subject: Re: Ip spoof from 0.0.0.0 > > [snip] > > your router, not the remote attacker. The best you could do is ask your > > upstream ISP to filter outgoing traffic to drop IP packets with invalid > > source addresses like 0.0.0.0. > [snip] > > Good advice, also good luck ;-) > Try (tcp)tracerouting to RFC1918 addresses or IANA reserved netblocks > through ISP's - quite scary how far you get sometimes before somebody with > clue > 0 has been at the router configs and it gets dropped... > > Cheers. > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > -- Jason Robertson Now at the Nation Research Council. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 12 2002 - 22:35:53 PST