RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

From: Joel Tyson (jtysonat_private)
Date: Mon Feb 03 2003 - 07:40:02 PST

Next message: Sverre H. Huseby: "More /sumthin, maybe"

Previous message: Guy Reisenauer: "Re: Packets from 255.255.255.255(80)"
Next in thread: Valdis.Kletnieksat_private: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Reply: Valdis.Kletnieksat_private: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The best way to handle these types of packets would be to route them to a null0 interface.  This way the packets will be dropped without icmp response.  Typically all ISP should have these ACL's configured on their border routers; but they don't.  

JT

-----Original Message-----
From: Hugo van der Kooij [mailto:hvdkooijat_private]
Sent: Sunday, February 02, 2003 12:33 PM
To: Incidents Mailing List
Subject: Re: Packets from 255.255.255.255(80) (was: Packet from port 80
with spoofed microsoft.com ip)


On Fri, 31 Jan 2003, Tomasz Papszun wrote:

> On Fri, 31 Jan 2003 at  3:01:49 +0100, Peter Triller wrote:
> > >I am seeing a lot of sync/ack packets from port 80 to non-existent
> > >addresses on my networks.  Somebody is spoofing source addresses to
> > >attack hosts, we are just innocent victims.  When will ISPs learn that
> >  >they should filter their customer's packets to prevent spoofing?  I am
> > > even seeing syn/ack packets from 255.255.255.255:80!
> > 
> > I cant see much reason in such packets, since they wont give any feedback.
> 
> I may be wrong - if so, please don't hesitate to correct me and explain
> what happens in such situation:
> 
> Let's say that a router is configured (with ACLs) to deny packets from
> 255.255.255.255 (that's why I noticed them). Then it sends back an "ICMP
> unreachable", doesn't it?
> These ICMP packets try to travel to... 255.255.255.255! Would'n it cause
> a multiplying?
> I know that a router/firewall may be configured to _not_ send "ICMP
> unreachables" but default is to send them.

The default behaviour for filtering must be to DROP the packets. This is 
standard in all known firewalls and should be considered common knowledge.

Some call this stealth mode.

Hugo.

-- 
 All email sent to me is bound to the rules described on my homepage.
    hvdkooijat_private		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Sverre H. Huseby: "More /sumthin, maybe"
Previous message: Guy Reisenauer: "Re: Packets from 255.255.255.255(80)"
Next in thread: Valdis.Kletnieksat_private: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Reply: Valdis.Kletnieksat_private: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 03 2003 - 07:50:38 PST