Date: Mon, 12 Nov 2001 20:00:13 -0800 From: Greg White <gregw-freebsd-security@greg.cex.ca> To: Bill Fumerola <billf@mu.org> Cc: security@freebsd.org Subject: Source routed packets Message-ID: <20011112200013.C46767@greg.cex.ca> In-Reply-To: <20011112191518.C81711@elvis.mu.org>; from billf@mu.org on Mon, Nov 12, 2001 at 07:15:18PM -0600 References: <001201c16b82$4da9d1e0$9700a8c0@ezri> <20011112134317.A46767@greg.cex.ca> <20011112191518.C81711@elvis.mu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon Nov 11/12/01, 2001 at 07:15:18PM -0600, Bill Fumerola wrote:
> On Mon, Nov 12, 2001 at 01:43:17PM -0800, Greg White wrote:
>
> > 1. Remove the 'spoof' rules for RFC1918 addresses (temporarily).
> > 2. Get to a host on an outside network.
> > 3. On that host, "route add -net 192.168.0.0/24 ip.of.gate.way", where
> > the 192.168.0.0 matches your internal network, and 'ip.of.gate.way'
> > matches your host's external interface.
> > 4. Sit back and enjoy unfettered access to all those internal hosts.
>
> no, if you actually tried this, you'd be sitting back and wondering why
> it doesn't work. continue reading.
Actually, I wouldn't have wondered. I might have been surprised (and
was, in fact surprised that two small ISPs I deal with are now doing the
right thing with this sort of packet. :) I'll admit, I had not tried this
'attack' in years... See below.
>
> > 'Private' addresses are only private if all the routers on the internet
> > refuse to route them. Most do not. :(
>
> incorrect, most do.
>
[snip routing lesson]
>
>
>
> OR
>
> every router in-between is ({un,}willingly) participating in the attack.
When I first discovered the source routing 'attack', the problem of
accepting source routed packets was already well understood, but not
widely blocked. I was able to pass such an 'attack' in most cases
(about three years ago) on small ISP networks, and large incompetent
ones. The level of 'unwilling' participation was quite high. That level
has dropped to near-negligible now, apparently. Since it worked then,
and the problem was already well understood and all
current-best-practices explicitly contained workarounds or rules to
avoid them, I assumed incorrectly that most would never bother. :(
Any network I've ever bothered to work on has these rules in place, and
usually egress filters to prevent it outbound, so testing became
irrelevant and impractical. To me, those rules became like NetBIOS rules
on Windows networks, you just _know_ you need them. ;)
Live and learn.
--
Greg White
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011112200013.C46767>