RE: Ip spoof from 0.0.0.0

From: Steenbergen, Dennis, Contractor (steenbedat_private)
Date: Mon Nov 11 2002 - 21:51:25 PST

  • Next message: Ingersoll, Jared: "scans on port 57"

    Like I was saying. Check out Michael Martin's article for source route
    filtering
    
    http://searchnetworking.techtarget.com/tip/1,289483,sid7_gci851604,00.html
    
    -----Original Message-----
    From: Onsite West Houston [mailto:onsiteat_private]
    Sent: Saturday, November 09, 2002 1:25 AM
    To: incidentsat_private; security-basics
    Cc: 'Jason Robertson'
    Subject: RE: Ip spoof from 0.0.0.0
    
    
    
    	This is the first I heard of anybody maintaining a "bogus IP" list,
    and on the surface it seems like it ought to be quite worthwhile. So I went
    and checked out the site.
    
    	Perhaps I'm missing something, but as I look at the site, what I see
    are:
    
    	(a) A list of most of the Class A addresses -- 75 of the 126
    possible.
    		It would seem easier to identify those Class A networks that
    are live
    		most of them likely to be large ISPs, and expressly permit
    those
    		networks, rather than try to block a list of 75 -- the list
    of 51
    		issued blocks can be consolidated into 13 CIDR table
    entries. The
    		aggregated list of blocked networks requires 23 CIDR
    entries.
    
    		Also, it would appear that this list does not include
    NAT/firewalled
    		networks, which /also/ should never originate any inbound
    traffic.
    
    	(b) No Class B addresses -- of course all of them have been issued,
    but many
    		of them are buried behind firewalls, and some of them were
    never actually
    		connected to the Internet -- issued before commercial access
    was possible.
    
    	(c) These few Class C blocks -- and except for the first one, are
    probably short lived on the list
    		as they're surely to be issued to somebody pretty quickly.
    
    		192.0.2.0/24
    		197.0.0.0/8
    		198.18.0.0/15
    		201.0.0.0/8
    
    	The remainder of those listed are the IANA private networks.
    
    	169.254.0.0/16
    	172.16.0.0/12
    	192.168.0.0/16
    
    	and the loopback network
    
    	127.0.0.0/8  -- which I'm not sure should ever be configured to be
    ignored
    				as it would be somewhat difficult to ping
    your own loopback.
    
    	So.. with the list as short as it is ... I fear I'm missing the
    point of publishing and maintaining the list. As I understand the purpose of
    the list is to identify networks that traffic should /never/ originate from.
    But from a security perspective, the list is definitely incomplete, as it
    appears to not consider issued but never-to-be-connected blocks of
    addresses, such as those behind NAT/firewalls or never connected at all. It
    would seem those networks are the most likely to be source addresses used
    for spoofing attacks, rather than those known to not be issued.
    
    	Somebody please enlighten me if I've missed something significant.
    
    	Thanks!
    _________________________________________
    Lawrence Garvin
    Principal/CEO
    Onsite West Houston
    http://onsite.eforest.net
    ICQ#: 38440195
    _________________________________________
    
    
    
    -----Original Message-----
    From: Jason Robertson [mailto:jasonat_private]
    Sent: Thursday, November 07, 2002 9:17 PM
    To: Nexus; incidentsat_private
    Cc: incidentsat_private
    Subject: Re: Ip spoof from 0.0.0.0
    
    
    For all of you who want the list of bogus IP's
    
    http://www.cymru.com/Documents/bogon-list.html
    
    As for 0.0.0.0, it is used for DHCP, but it shouldn't go beyond your 
    gateway, or anyone elses.
    
    Also the addressing is usually 0.0.0.0 -> 255.255.255.255 67 
    At least on our network at work...
    
    On 6 Nov 2002 at 23:53, Nexus wrote:
    
    From:           	"Nexus" <nexusat_private-way.co.uk>
    To:             	"Frank Cheong" <chocobofrankat_private>,
    	"Paul Gillingwater" <paulat_private>
    Copies to:      	<incidentsat_private>
    Subject:        	Re: Ip spoof from 0.0.0.0
    Date sent:      	Wed, 6 Nov 2002 23:53:10 -0000
    
    > 
    > ----- Original Message -----
    > From: "Paul Gillingwater" <paulat_private>
    > To: "Frank Cheong" <chocobofrankat_private>
    > Cc: <incidentsat_private>
    > Sent: Wednesday, November 06, 2002 7:08 PM
    > Subject: Re: Ip spoof from 0.0.0.0
    > 
    > [snip]
    > > your router, not the remote attacker.  The best you could do is ask your
    > > upstream ISP to filter outgoing traffic to drop IP packets with invalid
    > > source addresses like 0.0.0.0.
    > [snip]
    > 
    > Good advice, also good luck ;-)
    > Try (tcp)tracerouting to RFC1918 addresses or IANA reserved netblocks
    > through ISP's - quite scary how far you get sometimes before somebody with
    > clue > 0 has been at the router configs and it gets dropped...
    > 
    > Cheers.
    > 
    > 
    >
    ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see: http://aris.securityfocus.com
    > 
    > 
    
    
    --
    Jason Robertson                
    Now at the Nation Research Council.
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Nov 12 2002 - 22:35:53 PST