[Dshield] routing 192.168...?

Stephane Grobety security at admin.fulgan.com
Tue May 3 15:17:51 GMT 2005

Hello Dom,

Unfortunately, it's not as simple as you picture it. At least, it
wasn't in my case.

First, the attack was a DNS bounce. That means that the packets must
all be valid except for the source IP. And that source IP needs to be
set to the IP of the final victim. So, link in a SYN flood, the only
thing that gives away the fact that you're under attack if by looking
at the number of packets.

Second, the guy who wrote the attack script wasn't half an idiot
(well, he was a moral idiot, but that's something else): the attack
pattern wouldn't saturate MY link: he used several DNS servers for his
task so tracing the traffic through the network of the provider wasn't
easily done.

Third, the TTL didn't say much: I knew the attacker was likely to be
about 15 hops away and as you know, 15 hops is a loooong way on the
net. But in fact, since the TTL is written in the IP header as well
and since this attack required this header to be changed as well, the
attacker could very well be a single hop away and simply fake his TTL.

No, tracing spoofed source isn't easy.

Good luck,

Tuesday, May 3, 2005, 1:24:39 AM, you wrote:

DDV> It is actually easier to do trace spoofed traffic than you think.

DDV> If there is lots of it, like at attack, it will show up in netflow/cflowd
DDV> Records, giving away which routers the traffic passed through, and which
DDV> Interfaces.

DDV> Cisco's 'Cisco Express Forwarding' permits tracing the flow of packets, you
DDV> can in effect say, which interface does the next packet come in
DDV> on, and where did I send it.

DDV> The TTL, if not specifically set by the attacker, is a good indication of
DDV> source.  As each OS uses a known TTL, you can second-guess that a TTL of 100
DDV> at the receiver was originally 128 when sent.

DDV> As for getting neighbour ISPs to do something - if it's a transit link, the
DDV> ISP can tell the provider to stop sending them 192.168 crap - which
DDV> otherwise the ISP would pay for.  For peering relationships, which are
DDV> usually (but not always) symbiotic, if the ISP threatens to drop the peering
DDV> link "because you send me too much junk", the peer will tend to fix the
DDV> problem.

DDV> Dom
DDV> Dom De Vitto CISSP, dom at devitto.com

DDV> -----Original Message-----
DDV> From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
DDV> On Behalf Of Stephane Grobety
DDV> Sent: 02 May 2005 15:02
DDV> To: General DShield Discussion List
DDV> Subject: Re[2]: [Dshield] routing 192.168...?

DDV> Hello Daniel,

DDV> IPs with private source addresses are only blocked by ISP's that do
DDV> some form of egress filtering and even then, it's not always the case
DDV> and most often only at the periphery.

DDV> It's a shame really: that kind of filtering would really cut down the
DDV> nuisance capacity of machines inside the ISP's own network but, on the
DDV> other hand, it's not really a sales argument, it costs money. So few
DDV> are doing it and far from enough for filtering to be really effective.

DDV> You can check the TTL by looking at the raw IP headers (for instance,
DDV> with etehreal). But it won't tell you much as you'll only have the
DDV> final value, not the initial one, and therefore cannot know the exact
DDV> number of hops.

DDV> The best would be to setup your router to drop all packets with a
DDV> private IP in the source field that hits the external interface. if
DDV> that's not possible, then I'm afraid you'll have to live with it:
DDV> tracing spoofed traffic is next to impossible. Trust me, I know: for 8
DDV> month, some Dutch idiot tried to use my DNS server as a traffic
DDV> amplifier by sending it requests for the root with a spoofed IP
DDV> address (the actual victim). I was unable to trace the traffic and my
DDV> ISP refused to even persue it (I can't blame them, really: in order to
DDV> do that, you have to follow the phisical path of the packets to know
DDV> what gateway they come from and then ask the next party to do the same
DDV> until you reach the source).

DDV> Good luck,
DDV> Stephane

DDV> Monday, May 2, 2005, 6:09:56 AM, you wrote:

DC>> Hi Chris,

DC>> I know that the source is not use for routing but I thought that private

DC>> addresses are suppose to be block by ISPs.
DC>> Not mandatory but, they should. After all an ISP could use that address 
DC>> on their own private network ?
DC>> How can I check the TTL ?  It append 28 times today. For me the source 
DC>> become that private address, no routing possible.
DC>> My fisrt line is a router/firewall, everything is block, I then have 
DC>> ZoneAlarm  in every machine.

Best regards,
 Stephane                            mailto:security at admin.fulgan.com

More information about the list mailing list