IP Spoofing question..

error error at sonic.net
Mon Sep 30 16:40:36 PDT 2002


> Question:
> If I allow a range of IPs on my internal network to access the server on
> certain ports (and allow relaying from only those IPs or subnets), is there
> anyway for someone to spoof an internal IP address from the outside network
> and gain relaying priveleges on my mail server?  And am I doing something
> wrong?
> 

You should filter all (rfc 1918) private ip space on your edge router.
Then your internal router could route your private ip space between
hosts.

How are you doing auth for your smtp server? 
I would have each user pop before smtp at least.

I also suggest:

Assuming you have syncookies in your kernel:

echo 1 >/proc/sys/net/ipv4/tcp_syncookies

Also source address verification:

echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter

Really the way that your going to get false ip traffic is when people
are not filtered up stream.

I believe that sonic does filtering for each customer (a sanity check if
you will) so that private address space and impossible address space do
not leave their network segments.

So if I want to spoof traffic sonic has to think those address are real
world addresses that are valid to be passed on.

You should check to see if your isp will filter this for you before it
even gets to your firewall. You should still filter it in case they mess
up, as that would be safer.

I would also check into limiting connections from a single host at a
time. I have been doing extensive research into denial of service of
mail/web/ftp servers by creating a slow moving connection and then
creating a ton of those types of connections. Eventually you will make
the server daemon or the server use up its resources.

If you want to know more about it just ask.

Hope some of that helped.




More information about the talk mailing list