IP Spoofing question..

Mon Sep 30 17:13:23 PDT 2002

I will look into this..  Sonic is indeed my ISP, I don't think we have a
problem of our private address going out, but maybe incoming, hmm..

Our edge router and internal router are the same.  It's one of those
all-in-one Netopia things.  It works, albeit quite slow, but functional.
(Transferring data between subnets maxes at about 300-400 kb/sec with the
Netopia's cpu maxed)  It's good for low-speed VPNs (ie: over DSL and
dial-up)

Thank you very much.

- Christopher Wagner
chrisw at pacaids.com

Packaging Aids Corporation - Information Systems
P.O. Box 9144
San Rafael, CA 94912-9144
http://www.pacaids.com/
(415) 454-4868 x116

-----Original Message-----
From: error [mailto:error at sonic.net]
Sent: Monday, September 30, 2002 4:41 PM
To: talk at nblug.org
Subject: Re: IP Spoofing question..

> Question:
> If I allow a range of IPs on my internal network to access the server on
> certain ports (and allow relaying from only those IPs or subnets), is
there
> anyway for someone to spoof an internal IP address from the outside
network
> and gain relaying priveleges on my mail server?  And am I doing something
> wrong?
>

You should filter all (rfc 1918) private ip space on your edge router.
Then your internal router could route your private ip space between
hosts.

How are you doing auth for your smtp server?
I would have each user pop before smtp at least.

I also suggest:

Assuming you have syncookies in your kernel:

echo 1 >/proc/sys/net/ipv4/tcp_syncookies

Also source address verification:

echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter

Really the way that your going to get false ip traffic is when people
are not filtered up stream.

I believe that sonic does filtering for each customer (a sanity check if
you will) so that private address space and impossible address space do
not leave their network segments.

So if I want to spoof traffic sonic has to think those address are real
world addresses that are valid to be passed on.

You should check to see if your isp will filter this for you before it
even gets to your firewall. You should still filter it in case they mess
up, as that would be safer.

I would also check into limiting connections from a single host at a
time. I have been doing extensive research into denial of service of
mail/web/ftp servers by creating a slow moving connection and then
creating a ton of those types of connections. Eventually you will make
the server daemon or the server use up its resources.

If you want to know more about it just ask.

Hope some of that helped.

SPAM: ---- Start SpamAssassin results
SPAM: -4.4 hits, 5 required;
SPAM: * -4.4 -- 'In-Reply-To' line found
SPAM:
SPAM: ---- End of SpamAssassin results