On Wed, 08 Dec 1999, Michael H. Warfield wrote:
> On Wed, Dec 08, 1999 at 11:23:51AM -0500, Steve wrote:
> > It's that easy to spoof UDP huh?
>
> The term "trivial" understates the reality. I can spoof UDP
> with netcat and a script, it's that easy.
>
> I also can give you a long list of really annoying network attacks
> such as the chargen/echo food fight and the MS-RPC "snork attack" that are
> all based on how easy it is to spoof UDP. The chargen/echo attack was a
> single UDP packet addressed to the echo (or chargen) port at the local
> subnet broadcast address of the network under attack and spoofed to have
> a source (from) address of the chargen (or echo) port at that same local
> subnet broadcast address. Then you would instantly have all of the
> systems with echo enabled screaming at all the systems with chargen
> enabled. Lots of laughs... :-(
>
> The MS-RPC "snork attack" does basically the same thing but
> exploits MS-RPC response packets to beat up on Windows NT systems.
>
> The only real defense against spoofed UDP packets is to have
> all the routers blocking packets with source addresses that don't make
> sense. If your router has a filter that blocks all inbound UDP packets
> that contain your internal IP addresses as the source address, it can
> block anything that is spoofed to look like it's coming from your own
> addresses.
>(You should also be blocking all inbound packets addressed to
> the local subnet broadcast address - but that's another story.)
I have Ipchains set up to DENY all 10.0.0.0, 127.0.0.0, 192.168.0.0, 172.16.0.0
and my external eth1 as standard then allowing only what I need from the
outside and MASQ all internal packets forwarded to my external card. I think
that is what I need. Portsentry is more of an insurance policy in case I do
something stupid w/ Ipchains I have a secondary line of defence.
> It has
> no way to determine a UDP storm of packets is really from some anonymous
> smuck just claiming to be one of the root DNS servers. So that means
> that you have no effective defense against UDP packets from an external
> source that is spoofed to appear to come from another external source.
>
> > On Wed, 08 Dec 1999, Michael H. Warfield wrote:
> > > On Wed, Dec 08, 1999 at 09:27:58AM -0500, Raymond Popowich wrote:
> > >
> > > > I have found that the -atcp and -udp modes work best for me.
> > >
> > > Be very VERY careful with udp mode. If someone figures out that
> > > you are doing that, they can spoof in carefully crafted UDP scans (src
> > > address on UDP can be faked and spoofed) as if they were coming from
> > > something like all the root name servers, and you are then toast.
> > >
> > > I prefer to just block UDP except for tightly controlled services
> > > (ntp, dns) and only to specific routes. Then use portsentry for tcp.
>
> [...]
>
> Mike
> --
> Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
> (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of all
> PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
>
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
