Discussion:
Anti-Spoofing
(too old to reply)
Edgar Fuß
2011-08-31 15:08:59 UTC
Permalink
I was thinking about how to catch spoofed datagrams that pretend to originate from my own address.

How does the kernel deal with datagrams arriving on the wire (or on a VLAN) that have my own IP as the originating IP?

On the other hand, how often will ipf see a datagram that I send to myself (or to the broadcast address)?
Woud something like
pass out on IF from IP to IP keep state
pass out on IF from IP to BCAST keep state
block in on IF from IP to any
work?
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
i***@netbsd.org
2011-09-02 08:43:44 UTC
Permalink
Post by Edgar Fuß
I was thinking about how to catch spoofed datagrams that pretend
to originate from my own address.
How does the kernel deal with datagrams arriving on the wire (or
on a VLAN) that have my own IP as the originating IP?
at the driver level and higher: in regular operation, it sees all multicast
and broadcast originating from itself. If the hardware is SIMPLEX, that is,
it can't hear itself, the driver emulates this in software (for known
protocols, like IP, that depend on this).

See <net/if.h>:

#define IFF_SIMPLEX 0x0800 /* can't hear own transmissions */

and lines in ethersubr, tokensubr, fddisubr, etc. that match

In your filter rules, you would at least need to add exceptions for
multicast packets.

Regards,
-is

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Edgar Fuß
2011-09-05 15:44:08 UTC
Permalink
EF> How does the kernel deal with datagrams arriving on the wire (or
EF> on a VLAN) that have my own IP as the originating IP?
I'm afraid this question was too basic for anyone caring to answer, but it's somewhat queer to try out. Will such a datagram be passed up the stack?

IS> at the driver level and higher: in regular operation, it sees all multicast
IS> and broadcast originating from itself.
Does it see them once (incoming) or twice (outgoing and incoming)?
If (as I presume) it sees them twice: will ``keep state'' work on them? I.e., if i ``pass out keep state'' and ``block in'' them, will they pass?

And what about unicast datagrams (from me to me)?

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Edgar Fuß
2011-09-05 16:55:13 UTC
Permalink
So to answer my own questions: At least on 3.1 (which was the easiest for me to test on):

1. The filter doesn't see unicast datagrams from me to me at all.
2. Both broadast or multicast datagrams from me are seen twice by the filter.
3. It works to use ``keep state'' with them.

I still don't know what happens to fake packets from outside pretending to be sent ``by me''. I hope they will be seen by the filter. If that's indeed the case, the following sould wok:

pass out on IF from ME to BCAST keep state
pass out on IF from ME to 224.0.0.0/24 keep state
block in quick on IF from ME to any

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Ignatios Souvatzis
2011-09-07 06:22:14 UTC
Permalink
Post by Edgar Fuß
1. The filter doesn't see unicast datagrams from me to me at all.
This might be because those are auto-routed via loopback, so they don't
really hit the driver, if I recall correctly.
Post by Edgar Fuß
2. Both broadast or multicast datagrams from me are seen twice by the filter.
outgoing and incoming?
Post by Edgar Fuß
3. It works to use ``keep state'' with them.
I still don't know what happens to fake packets from outside
pretending to be sent ``by me''. I hope they will be seen by the
filter.
I think they will.

-is


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Edgar Fuß
2011-09-07 11:01:05 UTC
Permalink
IS> This might be because those are auto-routed via loopback, so they don't
IS> really hit the driver, if I recall correctly.
Ah, that indeed seems to be the case.
Is that documented anywhere?

EF> Both broadast or multicast datagrams from me are seen twice by the filter.
IS> outgoing and incoming?
Yes.

EF> I still don't know what happens to fake packets from outside pretending
EF> to be sent ``by me''. I hope they will be seen by the filter.
IS> I think they will.
It's quite hard to test. The best I could get was to set up the address in question as an interface alias on another machine and then ping that interface's broadcast address from there.
Indeed, those datagrams where seen by the packet filter on the machine legitimally owning the IP faked by the other machine.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Mouse
2011-09-07 14:08:01 UTC
Permalink
Post by Edgar Fuß
I still don't know what happens to fake packets from outside
pretending to be sent ``by me''.
It's quite hard to test. The best I could get was to set up the
address in question as an interface alias on another machine and then
ping that interface's broadcast address from there.
You might also be able to do something creative with NAT.

/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...