Welcome to Volume 3, Issue 20 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.
TISC is about sharing clue. So is the newsletter. We promise to provide something useful each issue. If we don't, flame me.
Enjoy, and be safe,
Source address spoofing--the act of submitting IP packets with a source address other than one you are authorized and expected to use--is high on my list of unforgivable behavior. Failing to validate source addresses is also high on my list of unforgivably poor operating practices. Mostly, I hate the fact that telephone networks do something better than data networks, and every telco service I've ever used and helped design (e.g., SMDS) has source address validation.
My good friend and colleague, Rik Farrow, wrote a column for WatchGuard's Live Security Service about spoofing and how to recognize it in logs, and WatchGuard has granted TISC permission to redistribute his column as an Insight feature article. Rik's column refers specifically to the Watchguard Firebox, and since this is the firewall he uses, I've left the specific product reference, but his methodology for identifying spoofing is generally applicable to any firewall with decent logging that can be directed to a syslog daemon.
By the way, if you run Windows, there's a very nice syslog daemon shareware from Triaction Software. One of the nice features is a simple rules editor that allows you to sort syslog messages into separate folders, so once you've learned how to identify spoofing, you can bin messages associated with spoof attempts in one folder, w32.nimbda probes in another, Code Red in another, etc. I find this filtering practice helps me focus my attention to new suspicious activity when I eyeball Local0 and Local7 notifications.
by Rik Farrow, Internet Security Consultant
One type of message that you'll commonly find in your firewall logs relates to fake, or spoofed, source addresses. Because your firewall blocks most packets using these addresses, they are generally not much to worry about. But spoofing only occurs with hostile intent, so you should be acquainted with the technique. This article considers source address spoofing in general, then shows you four ways to discern when it's happening to your network.
IP packets resemble letters sent through the postal service, since they have a destination address and a return address. In Internet protocol, the return address is called the source address (the address where the packet started). If the packet requires a reply, the reply gets sent to the source address. Spoofing a source address means that someone has used special software to lie about the source addresses of their packets. Software like this is very commonly used by attackers running UNIX or Linux systems, although Windows systems can be utilized as well. Windows 2000 and Windows XP actually make this a little easier to do than older Windows systems did.
An attacker has a problem when spoofing a source address, though: he or she can (almost) never get a response back. Typically, the response goes to the spoofed address. For example, if D3vilHax0r launches a Denial of Service attack against someone, but has spoofed his source addresses to show your IP address, you'll see it in your logs. The attacked site attempts to reset the attacking connection, but because it has been told your machine is the source, you get the reset messages. In your log, 'rst' -- short for RESET -- would turn up several times.
Spoofing source addresses is quite common during Denial of Service attacks. The attacker has no interest in seeing any response from the victim. Besides, the purpose of the attack is to block the victim from doing any useful work, which includes responding. So spoofing source addresses makes good sense for DoS attackers.
Spoofing source addresses has also been used in other attacks. The attack used against reclusive security expert Tsutomo Shimomura on Christmas Day, 1994 (detailed in The Fugitive Game, by Jonathan Littman) used source address spoofing to trick an authentication system and break into one of Shimomura's servers.
Got the basic idea? Good. Now you're probably wondering, "How can I tell when spoofed messages are hitting my network?" Sometimes that's easy. Let's examine four types of log messages that obviously have spoofed source addresses.
One way of finding spoofed packets is to search your logs for the phrase, "blocked site":
Jun 12 23:09:44 gateway firewalld: deny in eth0 40 tcp 20 46 172.23.7.26 184.108.40.206 3774 80 ack (blocked site)
Jun 13 16:02:07 gateway firewalld: deny in eth0 78 udp 20 114 10.10.1.10 220.127.116.11 137 137 (blocked site)
Jun 14 07:52:18 gateway firewalld: deny in eth0 40 tcp 20 234 192.168.2.18 18.104.22.168 1491 0 rst (blocked site)
Many firewalls can be set to automatically add any site that is port scanning your firewall to your list of blocked sites.
But the source addresses used in these examples, 172.23.7.26, 10.10.1.10, and 192.168.2.18, are already in the list of blocked sites. These addresses fall within the range of private network addresses, defined in RFC 1918, so they cannot legitimately arrive from outside your network. (If the notion of "private addresses" is new to you, a brief explanation: any IP address that begins with 10, 192.168, or in the range of 172.16 to 172.31 is reserved for network administrators to use on their own networks. These addresses will never be assigned to public Internet networks, nor will the core routers route them.) So, the second way to spot spoofing in your logs is to look for private source addresses coming from the public Internet.
If these addresses cannot be routed, why would someone use them? Two reasons. First: when someone is performing a DoS attack, the attacker does NOT want return packets, nor do they want the packets to identify the true source of the attack. Second: under some circumstances, private network addresses will work. Since the Firebox drops these packets, they won't work on your network. But if an attacker can sniff packets somewhere between a firewall-less network and the rest of the Internet, spoofed source addresses can be used.
Suppose an attacker spoofs a legal, but unused, source address and launches a probe or an attack. The return packets will be routed to the specified source address, which will reject them. But if the attacker can sniff the packets on their way to the spoofed source, the attacker can functionally "receive" the packets and act on them using special software (an attack or probe tool).
Here's a third way to spot spoofed packets. When an attacker spoofs legitimate source addresses, your firewall has no way of sensing it. But you might be able to tell something is amiss because you can see lots of RESETs (rst) messages in your firewall logs, as described above. For this technique to succeed, the attacker must be able to use a system along your route to the Internet so that packets will travel past a point where the attacker can sniff -- which usually implies the offender has broken into a system at an ISP (something that used to happen more frequently, and still does sometimes).
The fourth type of spoofed source address is also spotted easily. Source addresses beginning with 0, 127, 240, or greater are spoofed. Zero was used as a broadcast address with old Sun systems. 127 is the localhost address, and should never appear in an external packet. Addresses greater than 240 fall into the experimental category. Speaking of "greater than 240," 255 in particular is a broadcast address (an address used to broadcast information to other locally connected systems), so it should never begin the source address of an external packet. Addresses like these appear in packets generated by DoS attack tools.
Source address spoofing is pretty common. Looking through two weeks of logs, I counted 364 log messages that displayed spoofed private network addresses as the source address -- all packets that my Firebox had blocked. Given that you already have a good firewall, source address spoofing only becomes really unpleasant when you are the target of a DoS attack, because spoofing makes it difficult to trace that DoS attack back to its real source.
In general, source address spoofing should not be a danger to firewall protected networks. Because source addresses can be spoofed, most software does NOT rely on source addresses for authentication (none should). And, if you allow external access through your firewall into your internal networks, you should be using a VPN client to protect your communications -- and prevent the danger of someone sniffing your connection and taking it over. Nonetheless, people who come to your network with peaceful intent never spoof source addresses. When you spot spoofing, don't panic, but do watch your logs to see what develops.
© 2001 - 2006 Core Competence & Mactivity, Inc.
Rik Farrow's column reprinted with permission from Watchguard Technologies