Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am sometimes getting some attempts from people to hack into our company network (or what seems like it). So far, my IPS has prevented this and warned me that they are trying to spoof their IP address.
When I have a look at the logs, I see that someone is trying to pretend to be our perimeter router (with our external address) and is trying to use this method to gain access to the computers inside our network.
I was wondering if anyone knows how to trace a spoofed IP packet to its real source. My thoughts are that you would have to sniff packets and watch which routers it is coming through......but I'm wondering if anyone has a good method, good tools or good ideas to help me track down these people.
I think contacting your ISP and working with them to identify the source i probably the best option. I don't think you'll get much out of sniffing packets, as you'll really only be able to see up to a hop away (probably your ISPs upstream router). So any MACs that you sniff will be from the router. If the attacker were within a hop it would be usefull, but that's probably unlikely. Looking at the ttl of the packets can probably rule out whether that's true or not (though that's forgeable also).
That being said, you should definitely have some form of spoofing protection on your perimeter firewall. You absolutely need to filter packets coming into the external interface with forged internal IPs. You'll never see these for legitimate reasons and they should be dropped outright (possibly logged) as well.
Yes, I forgot about the MAC address being that of the last hop.
The Perimeter Intrusion Prevention System does silently block IP spoofing and has so far done a good job of it...and all dropped packets are logged (syslog) so I can look up the logs if anything suspicious is happening.
Actually, on the subject of IPS, I'm setting up a FreeBSD box to serve web pages to an internal network, and I was wondering if some people could give some tips and tricks on setting up a secure multi-layered IPS with good logging.
I know about snort_inline....is this a good first step?
Have you seen any portscans, protocol mapping, traceroutes?
If these crackers use an intermediate router, they could spoof some addresses at will and see the replies, sniff traffic, and perform man in the middle. Enforce security restrictions to make other employees aware of the risks of using the company's passwords on the web, etc.
If you're using a company's webmail, use SSL. Never use pop3, imap, plain http, telnet, ftp, etc..
With ping, hping, traceroute, tcptraceroute and some patience you may try to figure which addresses are being spoofed because of their TTL. They show you the intermediate routers as well.
Why your ISP haven't filtered the spoofed source in the first place?
Or were they cracked?
Deny any incoming ICMP redirects, router advertisements and solicitations. Is your route to your ISP static?
If it is, then tighten your firewall to only accept routing related traffic from this IP only
If these crackers use an intermediate router, they could spoof some addresses at will and see the replies, sniff traffic, and perform man in the middle.
The source IP is their external address, so unless the attacker is doing some kind of source route fscking then the replies aren't going back out through an intermediate router. Plus likelihood of a backbone router being compromised is not very good (assuming it's non-cisco ^_^).
With ping, hping, traceroute, tcptraceroute and some patience you may try to figure which addresses are being spoofed because of their TTL. They show you the intermediate routers as well.
Again if the source is yours, then it won't show you much except how far you are from your own perimeter router with the IP they're forging. Even if it was remote IPs, verifying that the number of reply hops corresponds to the incoming packets ttl is going to problematic at best (think people with proxys that re-write ttls for legitimate reasons) or just chance that the reply takes a different path with +/- 1 hop. Something like tcpcookies would help, but only for a large number of spoofed connection attempts.
Why your ISP haven't filtered the spoofed source in the first place?
Or were they cracked?
Most don't. That's why spoofing is still a common occurance on the internet. Even obviously forged packets like smurf/fraggle still work.
Last edited by Capt_Caveman; 08-05-2005 at 01:48 AM.
Originally posted by Capt_Caveman If these crackers use an intermediate router, they could spoof some addresses at will and see the replies, sniff traffic, and perform man in the middle.
The source IP is their external address, so unless the attacker is doing some kind of source route fscking then the replies aren't going back out through an intermediate router.
Yeah, I was just talking about the possibly spoofed addresses in the case there were traceroutes, portscans, etc... I bet they tried these first
Quote:
Plus likelihood of a backbone router being compromised is not very good (assuming it's non-cisco ^_^).
There are routers in many many places. Also, if the router shares an Ethernet segment, some sniffing + spoofing (+ perhaps some ARP poisoning) could make the trick. Note that it isn't even necessary to compromise one if the victim's routing table may be touched.
Mabey the only other way to trace a spoofed IP over the internet would be to have a widely spread zombie network that could packet capture on different parts of the internet and 'report back to base' as it were - and this isn't so uncommon.
And I guess that would require you to do some hacking of your own. Mabey even write a small IRC bot in assembly like Steve Gibson did too....that would glean information on any planned attacks or some script kiddie bloating.
Originally posted by socceroos Mabey the only other way to trace a spoofed IP over the internet would be to have a widely spread zombie network that could packet capture on different parts of the internet and 'report back to base' as it were - and this isn't so uncommon.
A network of zombies to protect us from another zombies? No, thanks...
Currently, there's Carnivore and Echelon "to protect and to serve"
Quote:
And I guess that would require you to do some hacking of your own. Mabey even write a small IRC bot in assembly like Steve Gibson did too....that would glean information on any planned attacks or some script kiddie bloating.
Steve Gibson's wishes are inversely proportional to his real skills.
Maybe raw sockets + assembly is too much to him
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.