cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


4439
Views
5
Helpful
9
Replies
Participant

How an attacker spoof the source ip address

Dear All,

IP address spoofing can be defined as the intentional misrepresentation of the source IP address in an IP packet.

My question here is that, If an attacker is spoofing an address that belongs to an organizations Private ip segment, then how the packet will travel over the internet if the header contains Private ip address. Or is that an attacker spoof only a public ip address that belongs to an organizations server which has a public ip ???

regards

Rajesh 

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Guru

You are incorrect in your

You are incorrect in your assumption that both IPs need to be public for the packet to reach it's destination.

Using your example of a server across the internet the destination IP needs to be public but the source IP does not because routers usually don't care about source IPs.

You ask what is the purpose of PAT, that is so the return traffic can be routed back to the source IP.

Jon

9 REPLIES 9
VIP Advisor

Hi,

Hi,

Although routing at ISP level is based on destination IPs only, most of them have basic measures to block spoofing such as denying traffic from source addresses in the RFC1918.

Some of them go advanced but this is the minimum. So in short, providers will drop packets will private source IPs.

VIP Mentor

In a perfect word I would

In a perfect word I would agree, but it seems that at least some ISPs don't follow these best practices. Many of my routers show ACL-hits like the following:

 10 deny ip 0.0.0.0 0.255.255.255 any
20 deny ip 10.0.0.0 0.255.255.255 any (259 matches)
30 deny ip 127.0.0.0 0.255.255.255 any
40 deny ip 169.254.0.0 0.0.255.255 any
50 deny ip 172.16.0.0 0.15.255.255 any (39 matches)
60 deny ip 192.0.2.0 0.0.0.255 any
70 deny ip 192.168.0.0 0.0.255.255 any (1484 matches)
80 deny ip 198.18.0.0 0.1.255.255 any (1 match)
90 deny ip 198.51.100.0 0.0.0.255 any
100 deny ip 203.0.113.0 0.0.0.255 any
110 deny ip 224.0.0.0 31.255.255.255 any

I'm pretty confident that these are not attacks that involve address-spoofing. That are just misconfigured NATs somewhere on the internet combined with the providers without proper ingress filtering.

Back to original topic. There are two reasons that addresses are spoofed:

  1. The attacker wants to look like an authorized source to start some activity on the destination system. I would consider this problem solved as at least on the internet it is very hard to achieve. But on the local LAN it is much easier.
  2. The attacker tries to hide his activity as it's done in an (D)DOS attack. Here it is quite common to spoof the source addresses and recent activities show that it's still easy to achieve that. BCP38 is one of the documents that more ISPs have to read ...
Participant

Dear All,

Dear All,

As per my Understanding any attacker from outside world cant change their source ip to Private ip address as it is not routable.. Hence they will find out any NATed server in any organization and will assign that NAT Public ip as Source and will try to do Dos attack and Spoof.. Please correct me if i am right... I am thinking from Attacker's point of view. Im sure that most of the firewalls will block such traffic by ip verify urf and antispoofing in ASA and checkpoint respectively.

regards

Rajesh P

VIP Mentor

"Not routable" means that a

"Not routable" means that a private IP as the destination address will never find the way to the right destination. To make it more difficult, this is not true for the ISP that connects your network. That ISP always can route a private ip-range to your network.

For private IPs as the source address, countermeasures like URPF are available. But these have to be configured as they are not default on all devices. And reality shows that it's not always the case.

Participant

I still wonder how ISP will

I still wonder how ISP will send a packet when its source ip is Private

(That ISP always can route a private ip-range to your network)

To travel thru internet your ip should be public right

im concerned about only source ip.

VIP Mentor

Without any special

Without any special countermeasures, a routing device will not even look at the source address and it doesn't matter if it's a private IP, the right public IP or an IP that is assigned to someone else. The router just won't care about it.

Participant

An user or attacker when it

An user or attacker when it has to reach a destination server, will always have public ip as source (either by modem or router or firewall will do nat) and destination as public.

As per my knowledge if any of these fields are Private, then it will never reach the destination.

If any source ip is private and it reaches the public without nat, then what is the use of PAT/Hide NAT concepts ?

More over as you said, ISP will look into only destination and not the source address to pass the traffic to internet, then you are indirectly saying that ISP is going to do a NAT on the source ip. ? If its going to do a NAT, then again the source ip will be changed to another public ip and Spoofing attack needs the same ip address to be shown as a Servers address (either public or private), then only after reaching the firewall it will detect as a spoofed ip address and will block it if configure properly. Else the firewall will send sync ack to the Server thinking that this is the server who has sent a syn request and finally land up in DOS attack

Sorry to say that i am still not clear on what you have said earlier.

Hall of Fame Guru

You are incorrect in your

You are incorrect in your assumption that both IPs need to be public for the packet to reach it's destination.

Using your example of a server across the internet the destination IP needs to be public but the source IP does not because routers usually don't care about source IPs.

You ask what is the purpose of PAT, that is so the return traffic can be routed back to the source IP.

Jon

Highlighted
Participant

Agreed for the point that

Agreed for the point that Return traffic is not sent Unless NAT. So Spoof is possible

Thanks :) a lot

Is there any tool available which can convert my ip to private while sending packet out. kali linux ?