Jo Rhett wrote:
On Jun 20, 2008, at 11:49 AM, John Hardin wrote:
10.x is (supposedly) not routable on the public internet. If you see
10.x (or other RFC-1918) traffic coming in from the world, your ISP
is broken.
You don't run packet sniffers on your hosts much, do you? ;-)
Does your ISP filter egress packets on your interface? No, neither
does mine ;-) (and in this case I control the border routing so I
know it for sure)
Most competent ISPs will filter customer interfaces to prevent bogons,
and some will filter public peering ports for bogons, but even with
both of those a surprising number of 10.x packets make their way to
our hosts.
belt-and-suspenders: Even if it's unlikely for a 10.x packet to reach
the host, why should I trust it?
Just because a packet can get theredoesn't mean they can deliver mail.
(by the way, IMO you're *insane* for not having a something in place
that filters such things. A simple PIX firewall at your border with "ip
verify reverse-path" enabled would do the job nicely. On a budget simple
ACLs in your border routing would do. Step up to at least 1980's grade
network security. seriously.)
SMTP travels over TCP. TCP requires a three way handshake. In order to
successfully open a connection to a TCP port, you need to know what
initial sequence number (ISN) the other side chose. Normally, a client
gets that in the SYN-ACK packet generated by the server. However, In the
case of a bogon, the "client" will never get that packet back, so
they're going to have to guess the ISN. This is called a "blind spoofing
attack". Provided your OS is sufficiently good about choosing random
ISN's, ie: most modern OSes, even Windows of XP and newer heritage,
pulling off a blind spoofing attack is actually rather difficult to do
in the real world.
If blind spoofing attacks were actually practical, you'd also be seeing
a *lot* of connections with forged source IPs on your mailserver. It's
equally difficult. When's the last time you got a message and didn't
trust the IP your MTA reported as being the actual host delivering the
mail? Spammers would aggressively use this technology to hide the IPs of
their infected hosts if they could.
So go ahead and belt-and-suspenders, but do realize that if they can
establish a connection from a 10.* that you don't route back to, they
can establish a connection using *ANY* IP address of their choosing.
Inside, outside, microsoft, google, any IP address is fair game. Were I
a spammer, my first target would be to forge mail as coming from the
mailservers of large companies with bondedsender and high-ranking DNSWL
listings.
I've not seen such mass IP forgery going on. Have you? Of course not,
because it pretty much can't be done.
