From owner-freebsd-questions@FreeBSD.ORG Sun Oct 17 17:38:25 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EE16F106564A for ; Sun, 17 Oct 2010 17:38:25 +0000 (UTC) (envelope-from bonomi@mail.r-bonomi.com) Received: from mail.r-bonomi.com (ns2.r-bonomi.com [204.87.227.129]) by mx1.freebsd.org (Postfix) with ESMTP id 8E1328FC0A for ; Sun, 17 Oct 2010 17:38:25 +0000 (UTC) Received: (from bonomi@localhost) by mail.r-bonomi.com (8.14.3/rdb1) id o9HHaOc6003135; Sun, 17 Oct 2010 12:36:24 -0500 (CDT) Date: Sun, 17 Oct 2010 12:36:24 -0500 (CDT) From: Robert Bonomi Message-ID: <201010171736.o9HHaOc6003135@mail.r-bonomi.com> To: freebsd-questions@pp.dyndns.biz, nlandys@gmail.com Cc: freebsd-questions@freebsd.org Subject: Re: UDP packet spoofed LAN source address? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Oct 2010 17:38:26 -0000 > From owner-freebsd-questions@freebsd.org Sun Oct 17 09:04:59 2010 > Date: Sun, 17 Oct 2010 16:06:12 +0200 > From: =?ISO-8859-1?Q?Morgan_Wesstr=F6m?= > > To: Nerius Landys > Cc: FreeBSD Mailing List > Subject: Re: UDP packet spoofed LAN source address? > > On 2010-10-17 06:56, Nerius Landys wrote: > > This is really more of a networking question. > > I'm wondering, in a typical scenario, for example my server is in a data > > center with a typical colocation company. > > > > I am editing someone else's code, and this code handles incoming UDP > > packets. The code handles UDP packets that have a source address being from > > the LAN differently. It gives those packets special treatment. To check > > whether a source address is a LAN address, it does the typical checks for > > 10.0.0.0, 172.16.0.0, 192.168.0.0, 127.0.0.0, and it also checks every > > assinged IP address with netmask to see if the source address on the UDP > > packet came from that network. > > > > My question is - how possible (in these typical environments) is it to send > > a UDP packet from far away that claims to have a source address being a LAN > > address? Will such a packet typically make it to my server, or will a > > router along the way stop it from arriving? > > > > Maybe, is there a simple 10 line C program that I can run and compile to > > check if this scenario is possible on _my_ server? > > > > - Nerius > > Section 3 of RFC1918 (http://www.ietf.org/rfc/rfc1918.txt) states the > following, and I quote: > > "Routers in networks not using private address space, especially those > of Internet service providers, are expected to be configured to reject > (filter out) routing information about private networks." > > This makes it _highly_ unlikely that your server will be hit by spoofed > packets with a source address belonging to any of those private IP > ranges. Wrong _WRONG_, *W*R*O*N*G*!!!! THAT STATEMENT IS ABSOLUTELY INCORRECT. "routing informatin" works on _destination_ addresses *ONLY*. The RFC languate means thhat you cannot -reach- an RFC-1918 *destination* address over the public internet. because no routing for those DESTINATION addrsses ic carried in the routing tables. The rest of your analysis is similarly similarly flawed. As a matter of 'reality' *NOBODY* providing 'transit' services filters on source addresses. 'Leaf' networks -- those with 'upstream' connectivity, but no 'downstream' clients -- are well advised to -themseleves- implement ingress/egress filtering at their border to block packets with 'inappropriate' _source_ addresses. This blocking has to be done with considerable care, however. There are some types of packets with 'un-routable' source addresses that *are* absolutely legitimate, and tht you -have- to let through, or you will have _major_ usability problems. It is also a GOOD IDEA to filter traffic, in _and_ out, to certain ports that are 'meaningful' *only* in a LAN environment.