> OK, so I can modify my outgoing packets to say that I'm coming from
> 192.168.1.23, or some such -- *HOW* can I get the response to those
> packets returned to me at my real address? If I fool you, regarding my
> source address, won't your response also goto 192.168.1.23 ???
There are at least two techniques to use here: Blind attacks and source
routing.
A blind attack just spews packets at your machine without needing (or
expecting) a response. While this may seem limited, it's possible to crash
many versions of windows just by spitting the right mal-formed packets at
the machine. I don't know if there are more sophisticated attacks that
don't initially require a valid IP, but I wouldn't discount the possibility
entirely.
Source routing uses a special feature of TCP/IP headers, allowing the packet
sender to specify the routing for any response packets. This allows a
would-be hacker to hide behind a non-routable private IP, by putting enough
information into the TCP/IP header to get response packets back to a machine
that the hacker controls. Since there are quite a few firewalls that don't
log extended header information (ipchains included), it can be difficult to
determine the hackers actual location on the 'net.
> Also, if these packets had not been DENY'ed, wouldn't response to them
> be routed into my local network? Once into our firewall, how could such
> responses ever get back out ???
See source-routing, above.
> > Lastly, let me take a guess as to *why*. Some attacks are
> > blind ones, where the attacker sends packets to a machine, and
> > doesn't really care what the replies are. It either succeeds or it
> > does not. It's like logging onto your LRP box: I bet without looking
> > at the screen, you could logon as root and flush the firewall. My
> > point: if someone is sending these blind attacks to your machines
> > NETBIOS ports, attempting some exploit, they might as well "sign"
> > the packets so that they appear to come from your own LAN.
>
> My concern lies in *not* being able to reliably trace exploits back to
> their source!
That's just how the internet works. If the hacker isn't source-routing
their packets, you really have no way of knowing where they came from, as IP
routers don't "tag" the packets in any way as they pass through. The only
thing that changes with each router hop is the TTL, but this doesn't tell
you much unless you KNOW what the initial TTL was. Since the TTL can never
be greater than 255, the only thing you currently know about the packets
that got logged is that they are no more than 148 hops from you, which could
put the source just about anywhere in universe!
If you install a secondary monitoring utility that can dump or log extended
header information, you may be able to find out if the packets are
source-routed or not, and possibly narrow in on who's spitting these packets
in your direction.
> Yes, that this is done and currently the norm with skilled scribblers is
> *not* news to me; but, this incident is the perfect illustration of how
> un-trustworthy the InterNet is. Not to mention, that our T-1 ISP is
> actually routing RFC 1918/1627/1597 blocks across the InterNet ;<
Most routers only look at the destination IP, so ANY source IP is OK with
them. In fact, it can be very important for things to work this way, as
many internal networks are switching to private IP space due to a lack of
available "real" IP's (especially in europe). This means packets may
legitemately come from a private IP assigned to a router or other
infrastructure device deep inside the network of some ISP or backbone
provider.
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
