ipaddressforgery.pdf

INTERNET HOLES - ELIMINATING IP ADDRESS FORGERY

_________________________________________________________________

Series Introduction

The Internet is now the world's most popular network and it is full of

potential vulnerabilities. In this series of articles, we explore the

vulnerabilities of the Internet and what you can do to mitigate them.

An Introduction IP Address Forgery

The Internet Protocol (IP) (RFC791) provides for two and only two

functions. It defines a datagram that can be routed through the

Internet, and it provides a means for fragmenting datagrams into

packets and reassembling packets into the original datagrams. To quote

from RFC791:

The internet protocol is specifically limited in scope to provide the

functions necessary to deliver a package of bits (an internet

datagram) from a source to a destination over an interconnected

system of networks. There are no mechanisms to augment end-to-end

data reliability, flow control, sequencing, or other services

commonly found in host-to-host protocols. The internet protocol

can capitalize on the services of its supporting networks to

provide various types and qualities of service.

Here's a description of an IP datagram, also from RFC791:

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Identification |Flags| Fragment Offset |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Time to Live | Protocol | Header Checksum |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Source Address |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Destination Address |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Options | Padding |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| data |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| data |

\ \

| data |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| data |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Description of an IP Datagram

Note that the 4th line of the description calls for the Source Address

of the datagram. In the simplest form of IP address forgery, the

forger only needs to create a packet containing a false Source Address

and insert it into the Internet by writing it into the output device

used to send information to the rest of the Internet. For the

non-expert forger, there is a tool called iptest which is part of the

free and publicly available ipfilter security package that

automatically forges packets for the purpose of testing configurations

or routers and other IP security setups.

The infrastructure of the Internet consists primarily of a set of

gateway computers and packet routers. These systems have multiple

hardware interfaces. They maintain routing tables to let them decide

which output interface to send a packet out on based on the input

interface that it came in on and the destination IP address specified

in the packet. When a forged packet arrives at an infrastructure

element, that element will faithfully route the packet toward the

destination address, exactly as it would a legitimate packet.

How Can IP Address Forgery Be Used

At its root, IP address forgery is a method of deception, and thus it

can be used in much the same way as other forms of deception.

Dunnigan95 More specifically, and using Dunnigan and Nofi's

classification scheme, here are some quick ideas about how IP address

forgery might be used:

* Concealment: IP address forgery is commonly used to conceal the

identity of an attacker, especially when denial of services is the

goal of the attack.

* Camouflage: IP address forgery is used to make one site appear to

be another as a way to convince the victim, for example, that an

attack is from a University, when in fact it is from a competitor.

* False and Planted Information: IP address forgery can be used to

create the impression that a particular site is acting maliciously

in order to create friction or lead a defender to falsely accuse

an innocent third party.

* Reuses: IP address forgery can be used to support another activity

designed to gain the confidence of the defender. For example, a

salesperson for information security products could create IP

address forgeries in order to convince a client of the need for

their services.

* Displays: IP address forgery has been used in order to lead

defenders to believe that many sites are participating in an

attack when in fact only a small number of individuals are

responsible.

* Demonstrations: IP address forgery has been used to demonstrate a

potential for untraceable attacks as a way to convince defenders

not to try to catch attackers.

* Feints: IP address forgery can be used to try to fool an enemy

into believing that an attack is coming from outside or from a

particular direction, when the real attack is very different. This

is a way to misdirect the enemy into spending limited resources in

the wrong way.

* Lies: IP address forgery has been used to create a more convincing

lie that somebody known to the defender is communicating with them

about a particular matter.

* Insight: IP address forgery can be used to gain insight into how

an opponent reacts and as a sort of probe to determine what sorts

of responses are likely to arise.

Another way to view this issue is in terms of the net effect on

information in information systems. Here is another way of viewing

this issue with an example from each category.

* Corruption of Information: IP addresses are often used as the

basis for Internet control decisions. For example, DNS updates are

often designated as coming only from specific other servers. With

IP address forgery, the entire DNS system could be corrupted,

causing services to be rerouted through enemy servers.

* Denial of Services: The Internet is basically a fragile network

that depends on the proper behavior and good will of the

participants for its proper operation. Without wide-ranging

changes to the way the Internet works, denial of services is

almost impossible to prevent. For example, the same DNS attack

could be used to cause widespread denial of services, or perhaps

even to create loops in the packet delivery mechanisms of the

Internet backbone.

* Leakage of Information: Forged IP addresses can be used to cause a

host to take orders for the delivery of information to enemy sites

by forging authorization as if it were from a legitimate

authorizing site.

* Misplaced Liability: Forged IP addresses could be used, as

described above under False and Planted Information, to cause

defenders to assert claims against innocent bystanders and to lay

blame at the wrong feet.

These are only some of the examples of what forged IP addresses can

do. Without a lot of effort, many other examples can be created.

What Can We Do About It?

As individuals, there is little we can do to eliminate all IP address

forgery, but as a community, we can be very effective. Here's how.

Instead of having all infrastructure elements route all packets, each

infrastructure element could, and should, enforce a simple rule. They

should only route packets from sources that could legitimately come

from the interface the packet arrives on.

This may sound complicated, but it really isn't. In fact, the

technology to do this is already in place, and always has been.

Virtually every router and gateway in existence today allows for the

filtering of packets based on their input interface and IP source and

destination address. This is a necessary component of their operation

and is the basis for the way they route all packets.

The only change that has to be made is for these routers and gateways

to enforce the network structure that is legitimately in place. Or in

other words, the routers and gateways should refuse to route

ridiculous packets. Here are some of the simpler examples of known bad

packets:

* The IP address 127.0.0.1 is ONLY used for internal routing of

packets from a host to itself. There is no legitimate IP datagram

that should pass through a router or gateway with this as the

source address. In fact, routing these packets is dangerous

because they may be used to forge packets from the localhost which

often has special privileges. A recent attack that causes denial

of services involves sending a packet to a host's echo port with

127.0.0.1 as its source address and the echo port as it's source

port. The echo port causes whatever packet it is sent to be

returned to its source. Since the source address is the same port

on the same host, this packet creates an infinite loop which, in

many cases, disables the computer.

* The IP address 0.0.0.0 is not legitimate - full stop. In fact,

there's really no legitimate IP address that should traverse

gateways containing a 0 for one of the address elements.

Unfortunately, many routers use the '.0.' convention in their

filtering tables to indicate any address from 0 to 255 (the whole

range), so blocking these packets may be non-trivial in some

infrastructure elements.

* The IP specification includes provisions for private subnetworks

that are designated for internal use only. There is no legitimate

reason to route packets from these addresses anywhere in the

general Internet infrastructure. (RFC1597) These address ranges

include 10.*.*.*, 172.16-32.*.*, and 192.168.*.* (where *

indicates any value from 0 through 255). No packets should be

routed through the Internet with these addresses as either their

source or their destination.

The next step in eliminating IP address forgery is for the routers and

gateways at each type of infrastructure element to enforce standards

on each interface. Generally, the Internet is broken up into Backbone

providers that provide wide area packet transport services, Private

Networks which are owned and operated by companies, institutions,

government agencies, and other parties for their own purposes, and

Internet Service Providers (ISPs) that provide connections between

the backbone elements and private networks (sometimes including other

ISPs). These roles can be blurred at times, but they are adequate for

our purposes.

* Private Networks: Each private network should;

+ 1) prevent all of the known-bad packets from crossing into or

out of the organization,

+ 2) prevent packets with internal source addresses from

passing inward,

+ 3) prevent packets with external source addresses from

passing outward,

+ 4) prevent packets with external destination addresses from

passing inward, and

+ 5) prevent packets with internal destination addresses from

passing outward.

* ISPs: Each ISP should;

+ 1) prevent all of the known-bad packets from crossing into or

out of their infrastructure,

+ 2) prevent any packet inbound from any of their clients with

a source address not from that client's assigned address

range from passing from the client network,

+ 3) prevent any packets with a destination address not in

their client's address range from passing to the client

network,

+ 4) prevent any packet not from this ISP's legitimate address

range from entering the backbone, and

+ 5) prevent any packets originating from the backbone and not

destined for one of their legitimate IP addresses from

entering their network.

Two additional rules will assist the ISP's clients;

+ 6) prevent inbound traffic from the client with the client's

address as a destination, and

+ 7) prevent outbound traffic to the client with the client's

address claimed to be the source.

* Backbone Networks: Each backbone provider should;

+ 1) prevent all of the known-bad packets from crossing into or

out of their infrastructure,

+ 2) prevent packets originating from any ISP with source

addresses not in that ISP's range of legitimate source

addresses from entering the backbone,

+ 3) prevent any packets not destined for an ISP's address

range from entering that ISP,

+ 4) prevent any packets from any other backbone provider that

could not be properly routed through that provider from

entering their backbone, and

+ 5) prevent any packets from going to any other backbone

provider unless they could legitimately be routed through

that provider to reach their destination.

For backbones, this requires some effort, however the high volume of

information they carry certainly justifies a little effort for

protection.

Some Examples

As an aide to the less technically inclined, the following examples

provide some real world implementation details.

This set of rules applies to a private network (in this case, the

all.net class C network 204.7.229.*) and are written in the format of

the Morningstar PPP (point to point protocol) Filter file:

# Rule 1 for private networks

# prevent known-bad address ranges from entering (or leaving)

!172.16-32.0.0 # private network segment

!192.168.0.0 # private network segment

!10.0.0.0 # private network segment

!127.0.0.0 # localhost network

# Rule 2 for private networks

# prevent internal source address packets from passing inward

!recv/src/204.7.229.0 # prevent inbound from our network

# Rule 5 for private networks

# prevent internal destination addresses from passing outward

# Note that rule 5 is placed here because the filters are order dependent

!send/dst/204.7.229.0 # prevent our destinations from passing out

# Rule 3 for private networks

# prevent external source address packets from passing outward

send/src/204.7.229.0 # allow legitimate outbound sources

!send/src/0.0.0.0 # prevent illegitimate outbound sources

# Rule 4 for private networks

# prevent external destinations from passing inward

recv/dst/204.7.229.0 # allow legitimate inbound destinations

!recv/dst/0.0.0.0 # prevent illegitimate inbound destinations

The next set of rules applies to an ISP. In this case, we assume that

the ISP has control over three class B networks that it uses to sell

services to its clients. The class B networks used in this example

have IP addresses of 123.7.*.*, 231.6.*.*, and 201.96.*.*. In this

case, we have three different parts of the example:

This is the router connecting the ISP to the backbone, presented in

the format of a Cisco router with interface 0 connected to the

backbone and interface 1 connected to the ISP's internal network. It

implements rules 1, 4, and 5 for the ISP.

# Rule 1 for an ISP

# prevent all of the known-bad address ranges

# this should be done on all in and out connections

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: