On Sunday 07 September 2003 02:00 pm, rikona wrote: > Hello Bryan, > > Friday, September 5, 2003, 4:19:01 PM, you wrote: > > BP> Based on the headers I have seen on two of the virus messages, > BP> both forwarded by someone on the list, I haven't seen it spoof any > BP> IP addresses, only the From line. > > I probably agree, but still have that nagging question about the > router route caching. If that does really work, then they could spoof > the IP also.
With most ISP's using RFC internal addresses for local network connections, I still don't see this as being a problem. It is impossible to spoof a non-routable internal address from an external connection and still get reply packets delivered back to you. Even if you could do that for the initial ISP, any router that was between your connection and the compromised system would refuse the route and you would lose the packets. The only conceivable way for this type of spoofing to work is for you to be connected directly to the network with nothing between you and the compromised system other than routers that you have compromised because if even one non-compromised router sites between the attacker and the attackee, the packets go the wrong place. A virus, by definition, needs to propagate far and wide and it would be impossible for such a virus to always be or know about where it was physically connected or how many systems were between it and the target of the attack. Unless they finally got AI working. > The scenario I am thinking of would be that you initiate the request, > involving a DNS for, say, my computer(you can do this on the first, > legitimate card if necessary). Once you get my IP, then you can send > the email to me. Most ISP's use internal RFC internal IP addresses for internal networks and those are not routable beyond the local network. So, even if I could spoof a 10. address, I can not ever receive the reply because the traffic is non-routable. I believe that you are proposing that I come in on a routable 212 address for instance, and then convince the server that my address is 10. based. Even if I could do that, the reply is non-routable to the 212 address and there is no server in the world that will actually route the reply to the 212 address, thinking that it is a 10. address. See what I mean? This is simply not a practical thing that can be done. If you have a routable external IP address as your assigned address, then it becomes more of a possibility, but it is still highly unlikely because the physical connection between the attacker and the attackee is probably not direct. There will be some type of router or routers between me and the system and all have to maintain the same routing address instructions or the packets drop to the wrong place. If even one system between me and the compromised system is not on board, the packets don't get delivered. > My ISP would reply. Here's the sticking point. Would > the reply simply follow the reverse path already established from you > to me, or would the reply follow an entirely different route back to > you? If the former, then you have essentially spoofed an IP address in > your email to me. No foreign router that is correctly configured is going to accept updates from non-authoritative computers. Not only that, but most will simply forward the packets to the authoritative "routers" for that netblock, rather than try to maintain the routing tables themselves. That means that if I get routing instructions for packets for a particular IP that belongs to Nippon Telecom in Japan, I am not going to try to deliver those packets myself, I am simply going to forward them to the authoritative router for Nippon Telecom and let that router route the packets to the destination on its local network. Those authoritative sources do not change all that often and in most cases, updates will be pushed out by the very BIG Domain Name Controllers, not some rinky outfit that has easily compromised security. That means that unless the update is coming from a trusted source and is directed to the local network, the updated routing instructions would simply be discarded and the authoritative path would be used instead. Even if I could manage to spoof it for an instance, the very next update from authoritative sources would override the instructions I put in place and any router between the compromised one and target would discard non-authoritative input. In most cases, network administrators don't just maintain a single router, but multiple routers to act as backups to each other for outages. If something funky was going on with one of them, more than likely the connection would be dropped, the admin notified and traffic directed to the backup router. There is usually some method as well to do comparisons of routes to make sure that each one is updated with the same information, so if there was a conflicting route, additional comparisons might be done with nearby info to make sure that everything is kosher. So you would have to get the compromise exactly right the first time without alerting any intrusion detection system or tripwire. And you would have to hope that any other routers would automatically get the same updates that you propagate to the first. > snip... > > If my router route caching idea really works, it doesn't need much > intelligence to do it. Viruses already fake headers, including > 'originator' ones that look like they're below the 'real' one, use > open proxies, chains of forwarders, etc. Very few worms or viruses use open relays for the simple reason that most open relays are blocked massively by ISP's in general, the open relay would have to be hard coded into the virus and would therefore be the target of massive immediate blocks as soon as the virus were decoded, and using a built-in smtp engine is so much more convenient since it provides ready made routes for propagation that are not known beforehand and therefore can not easily be blocked. None that I know of use chains or proxies for traffic for the same reason that I have mentioned. It is much easier for a real person to do these things because they can use new ones every time, viruses can not. Sobig.F does not even use individual proxies, much less chain multiple ones, nor does it use open SMTP relays, since it has a built-in engine. Most worms and viruses are similar for the reasons I mentioned above. And compromising a router is much more difficult than simply using a server that has been left intentionally open as open relays and proxies are. Compromising a router is non-trivial for a person, much, much harder for a virus. Plus, as we have talked about, the virus will not always know the physical location of its connection and it is not enough that it compromise simply a single router, it must compromise every router between it and the system it is attacking in order to accurately spoof an IP and get packets back. -- Bryan Phinney Software Test Engineer
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
