can 127.0.0.1 be spoofed ?
Hi,
I've been searching the web on this argument but all it talks about is UDP. I have no doubt that a UDP packet can have a fake localhost source address. But what happens with TCP? I think a SYN packet can arrive with a fake localhost source address, but then the SYN ACK will be sent to localhost and never received by the attacker. Am I right? If I write a servlet that checks wether the remote address is 127.0.0.1, would it be vulnerable? |
Quote:
Rahul Khare. |
You're right about the ARP table observation, but IP spoofing can be done even without ARP poisoning.
|
Well, I can tell you this much at least: If I spoof a SYN packet with source IP 127.0.0.1 sending it from my laptop to my desktop via Wi-Fi, I can see the packet arrive at my desktop (using tcpdump). I can NOT, however, log the packet with Netfilter/iptables on the desktop for some reason. EDIT: I'll check if I can see the any ACK get generated on the desktop when I get back, gotta go out to take care of something. Will be back later today.
|
Okay I was able to look at this a bit more. I don't really have much new information to share, though. I can confirm that the spoofed packet (source address 127.0.0.1) isn't causing a SYN/ACK to be generated on the target machine. I checked the NIC and loopback on the target using tcpdump. The spoofed packet is clearly visible to tcpdump on the target machine, yet it doesn't show-up in the iptables logs. Can anyone shed some light as to what is happening to the spoofed packet? Why doesn't it reach Netfilter? Why doesn't it generate a SYN/ACK?
FWIW, the target machine I tested with is running Linux 2.6.22. Quote:
|
I'm not surprised. It appears that the IP layer is smart enough to realise that the packet is spoofed since obviously the localhost address shouldn't be received on eth0 or any interface other than lo. Maybe tcpdump is working on the ethernet layer so it sees the packet before it is discarded.
Anyway your reply shows that it is secure. If the SYN ACK hasn't been generated then the connection hasn't beene stablished and any following packets will be discarded. I was fearing that a potential attacker could send the SYN, ignore the never-received-SYN-ACK and finally send an ACK and a HTTP request. Since the connection hasn't been established, his attack won't work. I don't know how you tested it, but I don't want to learn. :D Thanks for your reply. |
Some internet searching showed me that your test fake packet was detected by the "reverse path filtering", a kernel feature that drops packets received on a wrong interface. It may be configured through some sysctl variables:
net.ipv4.conf.default.rp_filter net.ipv4.conf.all.rp_filter Maybe that's the light you were asking for :). |
Quote:
BTW, I think I might as well post the tcpdump output (from the target machine) of my test. Throwing a single SYN packet at a Squid daemon: Using real source: Code:
12:43:30.818075 IP (tos 0x0, ttl 64, id 51213, offset 0, flags [none], proto TCP (6), length 40) 192.168.1.100.2186 > 192.168.1.101.3128: S, cksum 0x3f3f (correct), 1779957662:1779957662(0) win 512 Code:
12:46:35.375545 IP (tos 0x0, ttl 64, id 49844, offset 0, flags [none], proto TCP (6), length 40) 127.0.0.1.1103 > 192.168.1.101.3128: S, cksum 0xabe8 (correct), 1607516672:1607516672(0) win 512 Throwing a single SYN packet at a port with nothing listening: Using real source: Code:
13:22:22.830001 IP (tos 0x0, ttl 64, id 23168, offset 0, flags [none], proto TCP (6), length 40) 192.168.1.100.2073 > 192.168.1.101.666: S, cksum 0x50cb (correct), 256065977:256065977(0) win 512 Code:
13:25:37.088693 IP (tos 0x0, ttl 64, id 36207, offset 0, flags [none], proto TCP (6), length 40) 127.0.0.1.1602 > 192.168.1.101.666: S, cksum 0xfb25 (correct), 555859947:555859947(0) win 512 |
Alright, I took a look at the kernel sources.
Code:
net/ipv4/route.c:1769 By taking a look at the martian_source tag I see that the strange packet may be logged at warning level. However you may not see it in your kernel logs since it depends on many conditions, including kernel config. Now I feel more than safe that my servlet won't be called from the outside world. Thanks! |
Hi there. Just following up on this (sorry for the delay).
Based on your previous post, I enabled martian logging and re-tested. To enable martian logging I did a (on the target): Code:
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians This is what /var/log/syslog looks like upon packet arrival: Code:
Dec 8 20:18:12 labrat kernel: [ 2449.241998] martian source 192.168.1.101 from 127.0.0.1, on dev eth0 |
That's cool! You're right about win32, we'd never be able to find out our answers from the source in this way.
Thanks again. |
All times are GMT -5. The time now is 08:21 PM. |