by Rik Farrow <rik@spirit.com>
How lying helps in Internet attacks, and what you can do about it.
Networks rely on the truth. Without accurate information, networks work poorly, if at all. But there are those who use lies to deceive networks and the systems attached to those networks. These lies can take many forms, and must be carefully crafted if they are to work at all.
Source address spoofing means to lie about a packet's return address. Attackers have used this technique for many years, and the distributed denial of service attacks launched against commercial servers in February often used source address spoofing. There are other attacks that can take advantage of source address spoofing, but most of these attacks should not succeed today, with the exception of SNMP.
Still, source address spoofing is often misunderstood, and is a cause for concern. You can become a victim of source address spoofing, or, more likely, a source for an attack based on source address spoofing unless you understood how this works and take measures to prevent it from happening.
An attacker uses source address spoofing for two reasons: to gain access to some resource restricted to requests from specific source addresses, or to hide the source of an attack. Although relying on source addresses to protect services is not a good idea, software that attends to the source of requests is still common. For example, SNMP, a security disaster, often attempts to protect agents on network devices or systems by only accepting requests from specific source addresses. Also, the UNIX 'r' commands, the Network File System, Server Message Block, and TCP wrappers all include the source address (or system name in the case of NFS) as part of the access control checks.
These services are especially vulnerable to local attacks when the network is not switched. Switched networks make it difficult to sniff (if not impossible without control of the switch), and sniffing contributes to the success of these attacks. Let's use SNMP as an example. Suppose that SNMP agents have been configured to only respond to requests for information or for changing variables from a server at the address 10.2.2.98. Using netcat, a tool for sending or receiving IP packets, we can easily spoof a request from 10.2.2.98 and send it to the agent of our choice.
When the agent responds, it will send the response back to 10.2.2.98. The real manager will ignore the response, as it won't correspond to any outstanding request. But the attacker will need to sniff the response off the network for the attack to succeed, as the response was routed back to the real SNMP manager. If the attacker cannot sniff the response, the attack might still succeed, as variables can be successfully changed (an SNMP set command) without seeing the response. Or if the attacker shares the same subnet with the manager, reverse ARP might be used to masquearade as the owner of the IP address of the manager.
Remote attacks seeking access via source address spoofing must also have some way of seeing the return packets. Keep in mind that when a remote attacker spoofs some other network's source address, the responses will be routed to that other network, and the attacker will not receive those packets. Of course, the attacker might be able sniff along the route to the other network. This attack requires breaking into systems located within ISPs or other intermediate networks, and has been done.
Another old trick that may still work involves source routing. Source routing is an IP option mainly used today by network managers to check connectivity. Normally, when an IP packet leaves your system, its path through various networks to its destination is controlled by the routers and their current configuration. Source routing provides a means to override the control of the routers. Strict source routing means that you specify the path through all the routers to the destination. The same path in reverse is used to return responses. Loose source routing allows you to specify addresses that the packet must pass through on its way to the destination. And it is loose source routing that can provide aid to an attacker.
A remote attacker might seek to access a UNIX system protected with TCP wrappers, or an NT IIS server protected by an access list based on source addresses. If the attacker simply spoofs one of the permitted source addresses, the attacker may never get a response. But if the attacker both spoofs an address and sets the loose source routing option to force the response to return to the attacker's network, the attack can succeed.
The simplest defense against loose source routing is not to permit these packets to enter (or leave) your network. While source routing can be used within your network for management purposes, its only use between your network and other networks you do not control is by an attacker. Just about any firewall will block any packet that has source routing enabled by default. You can also configure routers to block packets with source routing as well. TCP wrappers includes an option to block source routed packets, and many UNIX operating systems have the ability to block source routed packets too.
An attacker might also launch what is called "blind spoofing". In this attack, the attacker seeks access to a system "protected" by checking source addresses. But the attacker may not need to see the responses for the attack to be successful. The first known version of this attack was launched against Tsutomu Shimomura on Christmas day 1996. Shimomura, a security specialist, was using TCP wrappers to protect his UNIX system from unauthorized access. But the attacker mounted a successful attack by guessing the sequence numbers used in the response packets during the attack, enabling the attack to change the configuration of the targeted system.
Sequence number attacks have become much less likely as operating system vendors have changed the way in which initial sequence numbers are generated. The old way was to add a constant value to the next initial sequence number. Newer mechanisms use a randomized value for the initial sequence number (although there are some constraints on this "random" value to prevent it from working incorrectly). Some vendors have made mistakes in their implementations (Microsoft and Linux both had somewhat predictable initial sequence numbers in recent versions), attackers can no longer rely on guessing initial sequence numbers.
Using the source address as a means of authorizing a network request is still not considered a safe method of doing things. The 'r' commands can be replaced with SSH, NFS can be used with improved authentication, and SMB has stronger authentication in all versions beyond Windows for Workgroups. But SNMP versions one and two rely on source address for security, which is inadequate. While you can block SNMP at the borders of your networks, you will continue to be vulnerable to SNMP-based scanning and attacks on your internal networks until SNMP v3 has been implemented and installed.
Besides abusing the source address as a phony authenticator, attackers can also spoof their source address in attacks where reply packets are not important. Any network-based denial of service attack fits this description, as the denial of service comes about from the packets reaching their destination, not from the response (with exception of Smurf attacks).
In the case of denial of service, it actually makes more sense for the attacker to spoof the source address, or the attacker might wind up blocking his or her own access to the network. Spoofing source addresses also makes tracking the attack back much more difficult, as the packets themselves must be traced on each network and subnet, back to the source.
Source address spoofing requires root access on UNIX systems. The attacker must be root so that the attack software can open a "raw" network socket. Most applications used "cooked" sockets where the IP stack provides the necessary headers. A raw socket means that the application must prepare the necessary headers itself, that is, do its own "cooking". Which is great for an attacker, as this permit the attack software to provide any information it needs in the headers, including spoofed source addresses. Note that Windows NT also supports raw sockets, so this is not just a UNIX issue.
Denial of service attacks using source address spoofing became popular during 1997, and RFC 2267 was written in response to these types of attacks. RFC 2267 (mentioned as a countermeasure in the March 2000 Network Defense column) suggests that ISPs practice ingress filtering. In general terms, this means that ISP monitor traffic received from their customers and drop any packets with spoofed source addresses. In practical terms, this has proven difficult.
One problem is that many ISPs do not have the technical ability to arrange packet filtering to block packets with spoofed source addresses. Also, many complain that adding packet filtering will reduce the performance of their networking equipment. While this was true in the past, it is less true today. In the early nineties, adding packet filtering to a Cisco router could cut throughput by as much as 70%. Today, routers have better designs, and it is possible on some routers to block packets with spoofed source addresses with no effect on throughput.
For example, Cisco Express Forwarding (CEF) is an advanced IP switching technology, designed for high-performance layer 3 IP backbone switching. You can configure this by executing the command
ip verify unicast reverse-path
while in configuration mode. A router (or a layer 3 switch) bases routing decisions on the destination address and the routing information. Using the same mechanism, a router can examine the source address and determine if it came from the correct interface (the route to the source leads back the way it arrived). If the route is not the same, the source address must be spoofed, unless asymmetric routes are being used. Asymmetric routes means that there are more than one way to reach the destination, for example, redundant connections to that network. If asymmetric routing is not in use, enabling this facility will block all packets with spoofed source addresses.
Linux and BSD system kernels have supported a similar facility
for several years. If you are using a Linux or BSD system as a
router or terminal server, you can configure that system to block
packets with spoofed source addresses merely by setting a kernel
parameter. In Linux systems, by echoing '2' to each rp_filter
name found in the /proc file system
(/proc/sys/net/ipv4/conf/*/rp_filter) enables this mechansim.
Terminal servers can also block packets with spoofed source addresses. Some terminal servers will do this by default. Others can do this by applying an access control list to the Ethernet connection coming from the terminal server (rather than on each incoming modem port). Reports posted to Bugtraq stated that there was no performance loss at all, although CPU usage did increase it remained well below 50% utilization.
And, of course, block packets with obviously spoofed source addresses from entering your own networks. Most firewalls will do this for you by default. If you use packet filters, block packets as they enter the external interface if they have internal source addresses, private network addresses, or the localhost address (127/8).
Source address spoofing does not need to be a problem. Mechanisms for stopping source address spoofing abound. It is a matter of taking the time to be a good Internet citizen, and blocking these packets at the borders of networks. And stop lying packets at the source.
Information about Cisco Express Forwarding (CEF or dCEF) http://www-search.cisco.com/univercd/cc/td/doc/product/software/ios112/ios112p/g sr/cef.htm
Wietse Venema's site, including information about TCP wrappers http://www.porcupine.org/
Some reports about configuring terminal servers and routers to block spoofed source addresses (Search the archives of Bugtraq): http://www.securityfocus.com/