LISTSERV - HP3000-L Archives

HP3000-L Archives

April 1996, Week 3

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L April 1996, Week 3

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Re(2): Internet HP3000 security issues
From:	Daniel Kosack <[log in to unmask]>
Reply To:	Daniel Kosack <[log in to unmask]>
Date:	Sat, 20 Apr 1996 15:44:02 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (66 lines)

On 20 Apr 1996, Bruce Toback wrote:

> Daniel Kosack writes:

> Huh? How do you drop source IP addresses? And why would you want to? It's a
> bit difficult to open a TCP connection if you don't know the address you're
> supposed to be handshaking with. Other transport-layer protocols also rely on
> the source IP address.

  Spoofed source IP's.  According to a bulletin put out by Livingston and
CERT, there was a relatively recent IP spoof attack in which source IP
addresses were spoofed.

  To prevent this, you want to basically firewall any connections
from your local network which originate from the outside.

  I've included the CERT advisory from which this info was obtained.  The
fix should work on any firewall or filtering device.

Subject: CERT 1/23 Advisory
Summary: What to do on IRX or PortMaster

The IRX and PortMaster discard source-routed packets but this recent
atack does not involve source routes; it spoofs the source IP address.

You can block this IP spoofing attack with your IRX (or PortMaster);
rules for doing so are included in the example in the Firewall
Application Note included with the IRX-211 or available from
ftp://ftp.livingston.com/pub/livingston/firewall/firewall-1.0.ps.Z
A short description follows.

Let's say your network is 199.9.200.0 on ether0 or ether1 or split
across both, and that your s1 sync port has an input filter called
internet.in and (optionally) an output filter called internet.out

Then insert as the VERY first rule in internet.in
deny 199.9.200.0/24 0.0.0.0/0 log

You can leave off the log if you don't want to know when you're
being attacked.  If you set a loghost, packets that match a rule
with the "log" keyword send a message to the auth.notice facility
on the loghost.

It is also useful to block packets that are trying to leave your
network but have a destination address in your network.  To do so,
insert a first rule to internet.out with
deny 0.0.0.0/0 199.9.200.0/24 log

Basically, if you *know* an address couldn't possibly be coming in via
some interface, it is useful to block it and log the event if it
happens, because it means either someone's trying to spoof you, or
something odd is happening with routing that should be looked into.

Further examples of Livingston packet filtering are available in
the FireWall Application Note mentioned above and in
ftp://ftp.livingston.com/pub/livingston/doc/filters

A copy of this message is available in
ftp://ftp.livingston.com/pub/livingston/doc/filters.ip-spoof

The original CERT advisory is available from
ftp://cert.org/pub/cert_advisories/CA-95:01.IP.Spoofing.Attacks.and.Hijacked.Connections

Daniel Kosack  -<[ Danny Boy ]>-
[log in to unmask]

ATOM RSS1 RSS2

RAVEN.UTC.EDU