LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-04-2005, 06:40 PM   #1
socceroos
Member
 
Registered: Aug 2005
Location: Australia
Distribution: Ubuntu, FreeBSD, Fedora
Posts: 125

Rep: Reputation: 16
Tracing Spoofed IP Address


Hello Everyone,

This is my first thread on this forum!

I am sometimes getting some attempts from people to hack into our company network (or what seems like it). So far, my IPS has prevented this and warned me that they are trying to spoof their IP address.

When I have a look at the logs, I see that someone is trying to pretend to be our perimeter router (with our external address) and is trying to use this method to gain access to the computers inside our network.

I was wondering if anyone knows how to trace a spoofed IP packet to its real source. My thoughts are that you would have to sniff packets and watch which routers it is coming through......but I'm wondering if anyone has a good method, good tools or good ideas to help me track down these people.

Thankyou
 
Old 08-04-2005, 09:38 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Welcome to LQ.

I think contacting your ISP and working with them to identify the source i probably the best option. I don't think you'll get much out of sniffing packets, as you'll really only be able to see up to a hop away (probably your ISPs upstream router). So any MACs that you sniff will be from the router. If the attacker were within a hop it would be usefull, but that's probably unlikely. Looking at the ttl of the packets can probably rule out whether that's true or not (though that's forgeable also).

That being said, you should definitely have some form of spoofing protection on your perimeter firewall. You absolutely need to filter packets coming into the external interface with forged internal IPs. You'll never see these for legitimate reasons and they should be dropped outright (possibly logged) as well.
 
Old 08-04-2005, 10:04 PM   #3
socceroos
Member
 
Registered: Aug 2005
Location: Australia
Distribution: Ubuntu, FreeBSD, Fedora
Posts: 125

Original Poster
Rep: Reputation: 16
Thankyou, that was explained very well.

Yes, I forgot about the MAC address being that of the last hop.

The Perimeter Intrusion Prevention System does silently block IP spoofing and has so far done a good job of it...and all dropped packets are logged (syslog) so I can look up the logs if anything suspicious is happening.

Actually, on the subject of IPS, I'm setting up a FreeBSD box to serve web pages to an internal network, and I was wondering if some people could give some tips and tricks on setting up a secure multi-layered IPS with good logging.

I know about snort_inline....is this a good first step?
 
Old 08-05-2005, 01:03 AM   #4
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
Have you seen any portscans, protocol mapping, traceroutes?

If these crackers use an intermediate router, they could spoof some addresses at will and see the replies, sniff traffic, and perform man in the middle. Enforce security restrictions to make other employees aware of the risks of using the company's passwords on the web, etc.
If you're using a company's webmail, use SSL. Never use pop3, imap, plain http, telnet, ftp, etc..

With ping, hping, traceroute, tcptraceroute and some patience you may try to figure which addresses are being spoofed because of their TTL. They show you the intermediate routers as well.

Why your ISP haven't filtered the spoofed source in the first place?
Or were they cracked?

Deny any incoming ICMP redirects, router advertisements and solicitations. Is your route to your ISP static?
If it is, then tighten your firewall to only accept routing related traffic from this IP only
 
Old 08-05-2005, 01:44 AM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
If these crackers use an intermediate router, they could spoof some addresses at will and see the replies, sniff traffic, and perform man in the middle.
The source IP is their external address, so unless the attacker is doing some kind of source route fscking then the replies aren't going back out through an intermediate router. Plus likelihood of a backbone router being compromised is not very good (assuming it's non-cisco ^_^).

With ping, hping, traceroute, tcptraceroute and some patience you may try to figure which addresses are being spoofed because of their TTL. They show you the intermediate routers as well.
Again if the source is yours, then it won't show you much except how far you are from your own perimeter router with the IP they're forging. Even if it was remote IPs, verifying that the number of reply hops corresponds to the incoming packets ttl is going to problematic at best (think people with proxys that re-write ttls for legitimate reasons) or just chance that the reply takes a different path with +/- 1 hop. Something like tcpcookies would help, but only for a large number of spoofed connection attempts.

Why your ISP haven't filtered the spoofed source in the first place?
Or were they cracked?

Most don't. That's why spoofing is still a common occurance on the internet. Even obviously forged packets like smurf/fraggle still work.

Last edited by Capt_Caveman; 08-05-2005 at 01:48 AM.
 
Old 08-05-2005, 02:50 AM   #6
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
Quote:
Originally posted by Capt_Caveman
If these crackers use an intermediate router, they could spoof some addresses at will and see the replies, sniff traffic, and perform man in the middle.
The source IP is their external address, so unless the attacker is doing some kind of source route fscking then the replies aren't going back out through an intermediate router.
Yeah, I was just talking about the possibly spoofed addresses in the case there were traceroutes, portscans, etc... I bet they tried these first

Quote:
Plus likelihood of a backbone router being compromised is not very good (assuming it's non-cisco ^_^).
There are routers in many many places. Also, if the router shares an Ethernet segment, some sniffing + spoofing (+ perhaps some ARP poisoning) could make the trick. Note that it isn't even necessary to compromise one if the victim's routing table may be touched.
 
Old 08-07-2005, 06:28 PM   #7
socceroos
Member
 
Registered: Aug 2005
Location: Australia
Distribution: Ubuntu, FreeBSD, Fedora
Posts: 125

Original Poster
Rep: Reputation: 16
Mabey the only other way to trace a spoofed IP over the internet would be to have a widely spread zombie network that could packet capture on different parts of the internet and 'report back to base' as it were - and this isn't so uncommon.

And I guess that would require you to do some hacking of your own. Mabey even write a small IRC bot in assembly like Steve Gibson did too....that would glean information on any planned attacks or some script kiddie bloating.
 
Old 08-07-2005, 07:13 PM   #8
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
Quote:
Originally posted by socceroos
Mabey the only other way to trace a spoofed IP over the internet would be to have a widely spread zombie network that could packet capture on different parts of the internet and 'report back to base' as it were - and this isn't so uncommon.
A network of zombies to protect us from another zombies? No, thanks...
Currently, there's Carnivore and Echelon "to protect and to serve"

Quote:
And I guess that would require you to do some hacking of your own. Mabey even write a small IRC bot in assembly like Steve Gibson did too....that would glean information on any planned attacks or some script kiddie bloating.
Steve Gibson's wishes are inversely proportional to his real skills.
Maybe raw sockets + assembly is too much to him

http://grcsucks.com/

Last edited by primo; 08-07-2005 at 07:22 PM.
 
Old 08-07-2005, 09:41 PM   #9
socceroos
Member
 
Registered: Aug 2005
Location: Australia
Distribution: Ubuntu, FreeBSD, Fedora
Posts: 125

Original Poster
Rep: Reputation: 16
Ah, I see. I wont go there then.
 
Old 08-08-2005, 01:45 PM   #10
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
Really, ISP's may do a better job. They have the infrastructure. There exists the information
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Stopping spoofed emails Homer Glemkin Linux - Security 2 12-02-2005 08:35 AM
Spoofed MAC address = no internet BDiddy Linux - Networking 7 09-23-2005 08:03 PM
Idea on spoofed packets? SiLiCoN Linux - Security 1 05-02-2005 06:30 AM
Spoofed ips?? Attacked?? detest Linux - Security 9 06-11-2003 03:04 PM
spoofed packeting exigent Linux - Security 3 11-24-2002 03:57 PM


All times are GMT -5. The time now is 08:17 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration