Re: How easy is to do a MITM/spoof/etc. a public IP address?

2017-01-27 Thread Flipchan 
DNS and UDP gets spoofed all THE time (look at ddos amplifying attacks), THE
source IP can allways be spoofed however as long as THE traffic is encrypted
with SSL or simular it allways Will be able to mitm THE requests just not  get
THE data cuz its encrypted, however lets say that your not useing dnscrypt
then u should be worried about mitm attacks on DNS

"C. L. Martinez"  skrev: (25 januari 2017 10:08:54 CET)
>Hi all,
>
>I have received a (maybe) "stupid" request from one of our customers.
>We have a pair of public OpenBSD firewalls (CARPed) that our
>development team use to access to several customers via VPN IPsec
>tunnels. But this morning we have received a request from one of these
>cutomers to access to our development servers using only one acl to
>permit their public IP address (without using VPN IPsec, or VPN SSL
>tunnels).
>
>And my (OT) question: how easy is to do a MITM attack (DNS spoofing for
>example, or another type of attack that permits to fake source public
>ip address) in this scenario?
>
>Many thanks.
>
>--
>Greetings,
>C. L. Martinez

--
Sincerly flipchan - LayerProx dev

Re: How easy is to do a MITM/spoof/etc. a public IP address?

2017-01-27 Thread Denis Fondras 
> Thanks. I see the concept when you are in a LAN. But with a WAN, I can't see
> how you can accomplish this. For example: ip public source address is 1.1.1.1,
> destination public ip address is 2.2.2.2 and attacker ip public address is
> 3.3.3.3. To establish communications between these three elements, there are
> several routers between them to route packets. What  I don't see is how when
> attacker sends packets to 2.2.2.2 using source public ip address 1.1.1.1,
> routers between all elements resturns these packets to attacker (which has
> 3.3.3.3 ip address) 
> 

Attacker can also announce a more specific prefix with BGP on the Internet and
"suck" trafic towards its own infrastructure.

Re: How easy is to do a MITM/spoof/etc. a public IP address?

2017-01-26 Thread C. L. Martinez 
On Thu, Jan 26, 2017 at 10:51:14AM +, Stuart Henderson wrote:
> On 2017-01-25, C. L. Martinez  wrote:
> > On Wed, Jan 25, 2017 at 02:07:55PM +, Stuart Henderson wrote:
> >> On 2017-01-25, C. L. Martinez  wrote:
> >> > Hi all,
> >> >
> >> > I have received a (maybe) "stupid" request from one of our customers.
> >> > We have a pair of public OpenBSD firewalls (CARPed) that our development
> >> > team use to access to several customers via VPN IPsec tunnels. But this
> >> > morning we have received a request from one of these cutomers to access
> >> > to our development servers using only one acl to permit their public IP
> >> > address (without using VPN IPsec, or VPN SSL tunnels).
> >> >
> >> > And my (OT) question: how easy is to do a MITM attack (DNS spoofing
> >> > for example, or another type of attack that permits to fake source
> >> > public ip address) in this scenario?
> >> 
> >> For an attacker with no access to endpoints or network in between:
> >> 
> >> - For many protocols including UDP, it is absolutely trivial to send
> >> traffic from a fake source address.
> >
> > But, only SYN can be sent, right?? Source's attacker ip address will not 
> > receive ACK, etc. Is it correct? If it is, he/she/they only can do DoS 
> > attack, they can't steal information, right?
> > 
> >> - With TCP it depends on various things but sometimes you can predict
> >> enough of the IP stack behaviour to spoof blindly and send data.
> >> reassemble tcp + random-id can help.
> 
> They won't get any responses, but if an attacker can predict some of
> what's in the packets (port numbers, sequence numbers etc), they can
> send a bunch of packets that *might* match. If they get lucky and hit
> on a correct one, they can handshake and transmit, obviously not
> receive data directly on that connection, but sending might be enough
> to do damage.
> 
> >> If an attacker can MITM (either by getting $client to send to their
> >> machine instead of yours directly, they can obviously log or modify
> >> packets before forwarding on to the real server. It depends what
> >> you're running over it as to whether this is a problem.
> >> 
> >
> > Uhmmm ... but in this case, I don't see how an attacker can fake original 
> > ip public source address ... Any theorical example?
> 
> If they have access to a machine that the packets pass through, or a
> machine that they can be made to pass through (e.g. by DNS manipulation,
> or if they're on an unprotected layer-2 network with a real router ARP
> attacks etc might work) they can just inspect/modify the packets as
> they're passing.
> 
> Even if it's just a router that doesn't let them do much with the
> packets directly, they might still be able to forward them over a GRE
> tunnel or similar to a machine where they can do this.
> 
> There are enough ISPs and colos around that don't do BCP38 (i.e. don't
> check source addresses) that there won't be too much difficulty
> re-forwarding packets with the original sender IP address.
> 
> > Many thanks Stuart for your help.
> 
> tl;dr: if VPN isn't suitable, make sure comms are protected by some
> other method that includes at least strong authentication and protects
> messages against being modified - e.g. modern SSH, TLS or equivalent -
> and be careful with certificates (test to make sure that you'll notice
> an unexpected change).
> 

Many thanks for your explained answer Stuart. Fantastic. Only one more 
question. Due to this access only requires http service, will be sufficient if 
I try to convince them to use https instead? And in the case that we could use 
https, a MITM attack would be minimized?

-- 
Greetings,
C. L. Martinez

Re: How easy is to do a MITM/spoof/etc. a public IP address?

2017-01-26 Thread Stuart Henderson 
On 2017-01-25, C. L. Martinez  wrote:
> On Wed, Jan 25, 2017 at 02:07:55PM +, Stuart Henderson wrote:
>> On 2017-01-25, C. L. Martinez  wrote:
>> > Hi all,
>> >
>> > I have received a (maybe) "stupid" request from one of our customers.
>> > We have a pair of public OpenBSD firewalls (CARPed) that our development
>> > team use to access to several customers via VPN IPsec tunnels. But this
>> > morning we have received a request from one of these cutomers to access
>> > to our development servers using only one acl to permit their public IP
>> > address (without using VPN IPsec, or VPN SSL tunnels).
>> >
>> > And my (OT) question: how easy is to do a MITM attack (DNS spoofing
>> > for example, or another type of attack that permits to fake source
>> > public ip address) in this scenario?
>> 
>> For an attacker with no access to endpoints or network in between:
>> 
>> - For many protocols including UDP, it is absolutely trivial to send
>> traffic from a fake source address.
>
> But, only SYN can be sent, right?? Source's attacker ip address will not 
> receive ACK, etc. Is it correct? If it is, he/she/they only can do DoS 
> attack, they can't steal information, right?
> 
>> - With TCP it depends on various things but sometimes you can predict
>> enough of the IP stack behaviour to spoof blindly and send data.
>> reassemble tcp + random-id can help.

They won't get any responses, but if an attacker can predict some of
what's in the packets (port numbers, sequence numbers etc), they can
send a bunch of packets that *might* match. If they get lucky and hit
on a correct one, they can handshake and transmit, obviously not
receive data directly on that connection, but sending might be enough
to do damage.

>> If an attacker can MITM (either by getting $client to send to their
>> machine instead of yours directly, they can obviously log or modify
>> packets before forwarding on to the real server. It depends what
>> you're running over it as to whether this is a problem.
>> 
>
> Uhmmm ... but in this case, I don't see how an attacker can fake original ip 
> public source address ... Any theorical example?

If they have access to a machine that the packets pass through, or a
machine that they can be made to pass through (e.g. by DNS manipulation,
or if they're on an unprotected layer-2 network with a real router ARP
attacks etc might work) they can just inspect/modify the packets as
they're passing.

Even if it's just a router that doesn't let them do much with the
packets directly, they might still be able to forward them over a GRE
tunnel or similar to a machine where they can do this.

There are enough ISPs and colos around that don't do BCP38 (i.e. don't
check source addresses) that there won't be too much difficulty
re-forwarding packets with the original sender IP address.

> Many thanks Stuart for your help.

tl;dr: if VPN isn't suitable, make sure comms are protected by some
other method that includes at least strong authentication and protects
messages against being modified - e.g. modern SSH, TLS or equivalent -
and be careful with certificates (test to make sure that you'll notice
an unexpected change).

Re: How easy is to do a MITM/spoof/etc. a public IP address?

2017-01-26 Thread C. L. Martinez 
On Wed, Jan 25, 2017 at 08:20:32PM +0100, Daniel Gillen wrote:
> On 25.01.2017 15:42, C. L. Martinez wrote:
> > On Wed, Jan 25, 2017 at 02:07:55PM +, Stuart Henderson wrote:
> >> On 2017-01-25, C. L. Martinez  wrote:
> >>> Hi all,
> >>>
> >>> I have received a (maybe) "stupid" request from one of our customers.
> >>> We have a pair of public OpenBSD firewalls (CARPed) that our development
> >>> team use to access to several customers via VPN IPsec tunnels. But this
> >>> morning we have received a request from one of these cutomers to access
> >>> to our development servers using only one acl to permit their public IP
> >>> address (without using VPN IPsec, or VPN SSL tunnels).
> >>>
> >>> And my (OT) question: how easy is to do a MITM attack (DNS spoofing
> >>> for example, or another type of attack that permits to fake source
> >>> public ip address) in this scenario?
> >>
> >> For an attacker with no access to endpoints or network in between:
> >>
> >> - For many protocols including UDP, it is absolutely trivial to send
> >> traffic from a fake source address.
> > 
> > But, only SYN can be sent, right?? Source's attacker ip address will not 
> > receive ACK, etc. Is it correct? If it is, he/she/they only can do DoS 
> > attack, they can't steal information, right?
> > 
> 
> UDP and many other protocols are connectionless, so there is no such
> thing as SYN/ACK. You basically just send your data package and hope it
> somehow gets to its destination.
> 
> https://en.wikipedia.org/wiki/User_Datagram_Protocol

Yep, sorry. My mistake. I am referring to TCP connections ...

> 
> >>
> >> - With TCP it depends on various things but sometimes you can predict
> >> enough of the IP stack behaviour to spoof blindly and send data.
> >> reassemble tcp + random-id can help.
> >>
> >> If an attacker can MITM (either by getting $client to send to their
> >> machine instead of yours directly, they can obviously log or modify
> >> packets before forwarding on to the real server. It depends what
> >> you're running over it as to whether this is a problem.
> >>
> > 
> > Uhmmm ... but in this case, I don't see how an attacker can fake original 
> > ip public source address ... Any theorical example?
> > 
> > Many thanks Stuart for your help.
> > 
> > 
> 
> In an MITM scenario, the send data packets actually flow _trough_ the
> MITM's machine before they are forwarded to your machine. No need to
> fake original source address, as it won't be changed. Think of the
> MITM's machine as a simple router interconnecting your and the $client's
> WAN.
> 
> https://en.wikipedia.org/wiki/Man-in-the-middle_attack

Thanks. I see the concept when you are in a LAN. But with a WAN, I can't see 
how you can accomplish this. For example: ip public source address is 1.1.1.1, 
destination public ip address is 2.2.2.2 and attacker ip public address is 
3.3.3.3. To establish communications between these three elements, there are 
several routers between them to route packets. What  I don't see is how when 
attacker sends packets to 2.2.2.2 using source public ip address 1.1.1.1, 
routers between all elements resturns these packets to attacker (which has 
3.3.3.3 ip address) 

Sorry for my "basic" knowledge in these fields :)


-- 
Greetings,
C. L. Martinez

Re: How easy is to do a MITM/spoof/etc. a public IP address?

2017-01-25 Thread Daniel Gillen 
On 25.01.2017 15:42, C. L. Martinez wrote:
> On Wed, Jan 25, 2017 at 02:07:55PM +, Stuart Henderson wrote:
>> On 2017-01-25, C. L. Martinez  wrote:
>>> Hi all,
>>>
>>> I have received a (maybe) "stupid" request from one of our customers.
>>> We have a pair of public OpenBSD firewalls (CARPed) that our development
>>> team use to access to several customers via VPN IPsec tunnels. But this
>>> morning we have received a request from one of these cutomers to access
>>> to our development servers using only one acl to permit their public IP
>>> address (without using VPN IPsec, or VPN SSL tunnels).
>>>
>>> And my (OT) question: how easy is to do a MITM attack (DNS spoofing
>>> for example, or another type of attack that permits to fake source
>>> public ip address) in this scenario?
>>
>> For an attacker with no access to endpoints or network in between:
>>
>> - For many protocols including UDP, it is absolutely trivial to send
>> traffic from a fake source address.
> 
> But, only SYN can be sent, right?? Source's attacker ip address will not 
> receive ACK, etc. Is it correct? If it is, he/she/they only can do DoS 
> attack, they can't steal information, right?
> 

UDP and many other protocols are connectionless, so there is no such
thing as SYN/ACK. You basically just send your data package and hope it
somehow gets to its destination.

https://en.wikipedia.org/wiki/User_Datagram_Protocol

>>
>> - With TCP it depends on various things but sometimes you can predict
>> enough of the IP stack behaviour to spoof blindly and send data.
>> reassemble tcp + random-id can help.
>>
>> If an attacker can MITM (either by getting $client to send to their
>> machine instead of yours directly, they can obviously log or modify
>> packets before forwarding on to the real server. It depends what
>> you're running over it as to whether this is a problem.
>>
> 
> Uhmmm ... but in this case, I don't see how an attacker can fake original ip 
> public source address ... Any theorical example?
> 
> Many thanks Stuart for your help.
> 
> 

In an MITM scenario, the send data packets actually flow _trough_ the
MITM's machine before they are forwarded to your machine. No need to
fake original source address, as it won't be changed. Think of the
MITM's machine as a simple router interconnecting your and the $client's
WAN.

https://en.wikipedia.org/wiki/Man-in-the-middle_attack

-- 
Unix _IS_ user friendly - it's just
selective about who its friends are!

Re: How easy is to do a MITM/spoof/etc. a public IP address?

2017-01-25 Thread C. L. Martinez 
On Wed, Jan 25, 2017 at 02:07:55PM +, Stuart Henderson wrote:
> On 2017-01-25, C. L. Martinez  wrote:
> > Hi all,
> >
> > I have received a (maybe) "stupid" request from one of our customers.
> > We have a pair of public OpenBSD firewalls (CARPed) that our development
> > team use to access to several customers via VPN IPsec tunnels. But this
> > morning we have received a request from one of these cutomers to access
> > to our development servers using only one acl to permit their public IP
> > address (without using VPN IPsec, or VPN SSL tunnels).
> >
> > And my (OT) question: how easy is to do a MITM attack (DNS spoofing
> > for example, or another type of attack that permits to fake source
> > public ip address) in this scenario?
> 
> For an attacker with no access to endpoints or network in between:
> 
> - For many protocols including UDP, it is absolutely trivial to send
> traffic from a fake source address.

But, only SYN can be sent, right?? Source's attacker ip address will not 
receive ACK, etc. Is it correct? If it is, he/she/they only can do DoS attack, 
they can't steal information, right?

> 
> - With TCP it depends on various things but sometimes you can predict
> enough of the IP stack behaviour to spoof blindly and send data.
> reassemble tcp + random-id can help.
> 
> If an attacker can MITM (either by getting $client to send to their
> machine instead of yours directly, they can obviously log or modify
> packets before forwarding on to the real server. It depends what
> you're running over it as to whether this is a problem.
> 

Uhmmm ... but in this case, I don't see how an attacker can fake original ip 
public source address ... Any theorical example?

Many thanks Stuart for your help.


-- 
Greetings,
C. L. Martinez

Re: How easy is to do a MITM/spoof/etc. a public IP address?

2017-01-25 Thread Stuart Henderson 
On 2017-01-25, C. L. Martinez  wrote:
> Hi all,
>
> I have received a (maybe) "stupid" request from one of our customers.
> We have a pair of public OpenBSD firewalls (CARPed) that our development
> team use to access to several customers via VPN IPsec tunnels. But this
> morning we have received a request from one of these cutomers to access
> to our development servers using only one acl to permit their public IP
> address (without using VPN IPsec, or VPN SSL tunnels).
>
> And my (OT) question: how easy is to do a MITM attack (DNS spoofing
> for example, or another type of attack that permits to fake source
> public ip address) in this scenario?

For an attacker with no access to endpoints or network in between:

- For many protocols including UDP, it is absolutely trivial to send
traffic from a fake source address.

- With TCP it depends on various things but sometimes you can predict
enough of the IP stack behaviour to spoof blindly and send data.
reassemble tcp + random-id can help.

If an attacker can MITM (either by getting $client to send to their
machine instead of yours directly, they can obviously log or modify
packets before forwarding on to the real server. It depends what
you're running over it as to whether this is a problem.

Re: How easy is to do a MITM/spoof/etc. a public IP address?

2017-01-25 Thread Kapetanakis Giannis 
On 25/01/17 11:08, C. L. Martinez wrote:
> Hi all,
> 
>  I have received a (maybe) "stupid" request from one of our customers. We 
> have a pair of public OpenBSD firewalls (CARPed) that our development team 
> use to access to several customers via VPN IPsec tunnels. But this morning we 
> have received a request from one of these cutomers to access to our 
> development servers using only one acl to permit their public IP address 
> (without using VPN IPsec, or VPN SSL tunnels).
> 
>  And my (OT) question: how easy is to do a MITM attack (DNS spoofing for 
> example, or another type of attack that permits to fake source public ip 
> address) in this scenario?
> 
> Many thanks.

I guess they want to avoid setting up the VPN...

Maybe you could use ssh tunneling with pub/priv keys and authpf for dynamic pf 
rules to access the internal servers?
So essentially a ssh-vpn solution...
don't know if this feats your setup.

Alternatively you could set the external acl on the firewall and enhance the 
authentication on the internal servers. 

G

How easy is to do a MITM/spoof/etc. a public IP address?

2017-01-25 Thread C. L. Martinez 
Hi all,

 I have received a (maybe) "stupid" request from one of our customers. We have 
a pair of public OpenBSD firewalls (CARPed) that our development team use to 
access to several customers via VPN IPsec tunnels. But this morning we have 
received a request from one of these cutomers to access to our development 
servers using only one acl to permit their public IP address (without using VPN 
IPsec, or VPN SSL tunnels).

 And my (OT) question: how easy is to do a MITM attack (DNS spoofing for 
example, or another type of attack that permits to fake source public ip 
address) in this scenario?

Many thanks.

-- 
Greetings,
C. L. Martinez