[Dshield] Spoofs

security@admin.fulgan.com security at admin.fulgan.com
Wed Nov 7 09:54:45 GMT 2001


JM> I've been seeing a major increase in ICMP unreachable packets using spoofed
JM> 10.x.x.x and 192.168.x.x source addresses hitting my firewall.

On, it's probably that someone on the outside is trying (and
succeeding) in trying to access service on your network that is
incompatible with NAT.

The process is the following: The client sits on a private network,
connected to a NAT device, the server is inside your network. The
protocol used is an old one that doe not support NAT because it uses,
when trying to connect back to the client, not the IP "from" field,
but some data from inside the data itself (For exemple, ICQ and
Exchange both use such scheme for different reasons). The client
connects, sends it's (private, non-routable) address to the server
witch tries to connect back. Since you've configured your router to
use you ISP's as default gateway and not filtered the private IP
ranges, the first hop router answers back with an "ICMP: network
unreachable" packet

My first suspect would be ICQ: If it's not configured to work in
"firewalled" mode, it will send a connection request to the central
server that will send the message to the target client and request it
to connect directly to the IP it received (the private IP number in
question).

In any case, you should try to catch the outgoing SYN packet: it will
tell you what protocol is concerned and you'll be able to act on that.

Good luck,
Stephane




More information about the list mailing list