On Wed, Dec 08, 1999 at 11:23:51AM -0500, Steve wrote:
> It's that easy to spoof UDP huh?
The term "trivial" understates the reality. I can spoof UDP
with netcat and a script, it's that easy.
I also can give you a long list of really annoying network attacks
such as the chargen/echo food fight and the MS-RPC "snork attack" that are
all based on how easy it is to spoof UDP. The chargen/echo attack was a
single UDP packet addressed to the echo (or chargen) port at the local
subnet broadcast address of the network under attack and spoofed to have
a source (from) address of the chargen (or echo) port at that same local
subnet broadcast address. Then you would instantly have all of the
systems with echo enabled screaming at all the systems with chargen
enabled. Lots of laughs... :-(
The MS-RPC "snork attack" does basically the same thing but
exploits MS-RPC response packets to beat up on Windows NT systems.
The only real defense against spoofed UDP packets is to have
all the routers blocking packets with source addresses that don't make
sense. If your router has a filter that blocks all inbound UDP packets
that contain your internal IP addresses as the source address, it can
block anything that is spoofed to look like it's coming from your own
addresses. (You should also be blocking all inbound packets addressed to
the local subnet broadcast address - but that's another story.) It has
no way to determine a UDP storm of packets is really from some anonymous
smuck just claiming to be one of the root DNS servers. So that means
that you have no effective defense against UDP packets from an external
source that is spoofed to appear to come from another external source.
> On Wed, 08 Dec 1999, Michael H. Warfield wrote:
> > On Wed, Dec 08, 1999 at 09:27:58AM -0500, Raymond Popowich wrote:
> >
> > > I have found that the -atcp and -udp modes work best for me.
> >
> > Be very VERY careful with udp mode. If someone figures out that
> > you are doing that, they can spoof in carefully crafted UDP scans (src
> > address on UDP can be faked and spoofed) as if they were coming from
> > something like all the root name servers, and you are then toast.
> >
> > I prefer to just block UDP except for tightly controlled services
> > (ntp, dns) and only to specific routes. Then use portsentry for tcp.
[...]
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
