[Dshield] Spoofing Source Address Verification XP

security@admin.fulgan.com security at admin.fulgan.com
Mon Nov 26 17:35:46 GMT 2001

>>The ability to spoof IP addresses has been there all along as long as
>>the pirate was willing to include his own library (for the record,

NR>     Oh?  My understanding was that until now, "Winblows" did not allow you 
NR> to construct your own TCP/IP packets, so therefore could not be used to 
NR> spoof IP addresses.

Wrong: you can implement your own packet driver and do as you wish.
Since there is no way in win9x to control who can install what, the
Trojan program can easily install the packet driver and use it.

>>winpcap is an open source device driver that will allow you both to
>>sniff all packet reaching the NICs

NR>     I see the winpcap homepage, but I had always thought that a key step in 
NR> sniffing was a hardware issue: having to set the NIC card to "promiscuous 
NR> mode" (sp?) in order for it to pass to the OS all packets it receives (as 
NR> opposed to just those addressed to it and dropping everything else).

Yes, so ?? WinPCap is a device driver. As such, it can very easily
change the NIC mode to promiscuous mode.

>>  In addition, one must add the win2k also had this
>>ability for quite some time.

NR>     One would hope that a corporate machine with win2k would have 
NR> sufficient protection to keep it from becoming a zombie, and that the high 
NR> price of W2K would keep it out of the hands of most script-kiddies.  (One 
NR> would *hope*, anyway.)

Well, Code red proved us that this isn't the case. Or rather: Corps
can protect themselves, but there are a LOT of non-coprs using
winNT-based OS. Indeed, this is a sensible choice over win9x when it
comes to choosing a server OS. The problem is that this insight didn't
go as far as: 1/ checking what was installed against the list of what
is needed 2/ doing basic administrator homework like subscribing to the
proper mailing lists or visiting the update page once in while (that
includes installing the patches for your OSs). But these are not
Windows problems, these are usage problems. (not saying windows has no
problem: the incredible number of buffer overflow proves that the IIS
programmers have little idea of what secure programming is).

>>No, hackers don't use spoofing, not because it's not available but
>>because it uses illegal packets and, as such, are easy to detect and
>>filter at the source with simple router rules, cutting the efficiency
>>of the attack.

NR>     Yes, but how many systems have been discussed on this very list that 
NR> _don't_ use "simple router rules"?

That's beside the point. DDOS uses LARGE number of machines to attack
a single host. And in order to have the highest chance of success, you
should have as many hosts as possible. Now suppose you use a spoofed
address that carries through a large router that implements egress
filtering: chances are a high percentage of your packet will be
dropped from coming from the wrong interface: you've got a single
point of "failure". If you use "legit" addresses, then all of a sudden
you must track down each infected host.

NR> No internet router should carry 
NR>, but there are plenty that do.

Internal addresses are not the issue: you can use any address you like
in a spoofed packet. And indeed, if you'd be spoofing, you'd probably
random-generate it.

NR> (I like that one guy who added 
NR> his company's assigned IP range to the list of packets to be dropped if 
NR> they're discovered coming in from the outside world--now that's thinking!)

>>1/ Any NAT device will solve the problem. (as long as it's not the
>>cause of the problem).

NR>     See previous comment.

It has nothing to do with the problem at hand: A NAT shouldn't (and
in fact won't) record an outgoing packet with a return address that is
not internal: it will be dropped.

>>2/ Almost all routers can be easily configured to perform egress
>>filtering (see http://www.sans.org/infosecFAQ/firewall/egress.htm).

NR>     See previous comment.

So ?? The question was: "What can I do to protect my local network?"
The answer is egress filtering. Now, if you don't want or don't know
how to implement it, that's a different problem.

>>3/ This is something that should be do on the first hop router. If
>>you're concerned enough by this problem to look for gateway
>>protection, you're very unlikely to be affected. Filtering on the
>>first hop router would allow the ISPs to immediately find dangerous
>>systems and shut them down.

NR>     See previous comment.

You're starting to repeat yourself, you know. So, instead of wasting
my energy on this one, I encourage you to re-read the questions and my

>>As for the consumer, there are a variety of gateway firewall that will
>>detect that

NR> [snip]

>>Finally, for the standalone user, a local firewall/IDS can probably
>>detect outgoing spoofed packets. But again, if you have a local
>>firewall, you're not likely to have been hacked ;)

NR>     You just made my point for me: Windows is hard enough to keep secure 
NR> when you know what you're doing.

As is ANY operating system. And in fact, security is not handled that
way: you secure your gateways first and foremost. Then, if you worry
about internal security, then you implement IDS and security between
internal zones and finally you patch your servers against known
security threats.

NR> (If it weren't, we wouldn't have a 
NR> worm-of-the-week that can take over PowerPoint.)

PowerPoint != Windows
Besides, this has little to do with the problem: XP is, inherently, a
more secure environment than win9x EVER has been. Win2k is too but
win2k was never positioned as a consumer product.

NR> For the average user, who 
NR> knows nothing, it's just a matter of time before they get trojaned and 
NR> their machine becomes a zombie.  If my understanding is correct--that under 
NR> previous Windows versions you couldn't construct your own IP packets--that 
NR> means that floods could at least be traced back to zombie systems.  With 
NR> XP, they can't be.

Your understanding is wrong: you can build your own packets in win9x
as long as you can install a device driver. And guess what ? There is
no way to prevent you to install a device driver in windows 9x.
Another proof: many popular "quick DOSers" programs for windows created
packets with illegal headers, including the source IP address (Ping of
death or Smurf, for example).

WinNT doesn't allows just anyone to do that: only admins can. In
win2k/XP, it goes a step further: By default, you are warned when you
installs a non-signed driver. While this is probably not enough to
stop a naive user to get his machine highjacked, this is a step in the
good direction.

Good luck,

More information about the list mailing list