RFC 1918 and RFC 2827

haithamnofal · ‎02-16-2007

Hi,

I am just wondering why Cisco recommendations are to apply the filterations stated in RFCs 2827 & 1918 in the border and ISP routers while as the range called to be filtered in RFC 2827 is originally not routable elsewhere, and the addresses which need to be filtered in RFC 1918 are not routable in the internet!

Regards,

Haitham

ahmednaas · ‎02-16-2007

RFC 1918 ranges are filtered because they shouldn't be there in the first place. They are there because of either misconfiguration or some malicious intent.

RFC 2827 filtering is done, if I remember correctly, to prevent DOS and other attacks.

alexander.muhin · ‎02-16-2007

Hi Haitham,

Such filtering helps to avoids/prevents DoS attacks, where an attacker uses fake IP source addresses (for example from RFC 1918 range). You can find more deep explanations in RFC 2827.

regards,

Alexander

haithamnofal · ‎02-16-2007

Hi Guys,

I understand that both RFCs are calling for such filtering to prevent against DoS and access using private IP addresses, but I am just wondering if I didn't apply this filtering, how would an attacker be able to access my network using a private IP address (as it is a non-routable IP)! Also, how would my network be a source for DoS using a spoofed IP, as RFC 2827 advises, while as there is no way to use an IP from a different range other than the one allocated to my network from the ISP because again it will be non-routable by the ISP!

What do you think?

Regards,

Haitham

ahmednaas · ‎02-16-2007

Haitham,

The fact that some addresses are non-routable has to be enforced somewhere. Routers cannot enforce this by default because they are as likely to be used in intranets where the use of such non-routable addresses is completely legal. For more on the mechanics of DoS, see:

http://en.wikipedia.org/wiki/Denial-of-service_attack

Jon Marshall · ‎02-16-2007

Hi Haitham

You are right in saying that the private address ranges are non-routable. But they are non-routable only when the traffic is routed back to the source.

So if i spoof a packet with a private IP source address eg 192.168.1.1 to your company firewall it will arrive at your firewall as it is routed to the public address of your firewall. But it can't be routed back.

But for a lot of attacks it does not need to be routed back. For example the snmp set command. This is based on UDP. If an attacker managed to guess or obtain your snmp password and your router had rw for snmp he could send an snmp command telling the router to shut down. He doesn't care about the response.

TCP connections are different. They need to be setup with a 3 way handsahake which is a lot harder to spoof. But again the attacker might not be interested in this. He might be interested in just send as many SYN packets to a server as he can. Servers only have a finite number of half open connections. The server will respond to the SYN with a SYN/ACK but obviously it never gets there as it non-routable. But the server has to keep the connection half open for a certain amount of time before it can close it. Send enough of them and the server runs out of "slots". Most modern OS's and firewalls make attempts to address this problem but it is very difficult to do without denying legitimate connections.

All of the above applies to RFC 2827 addressing as well except your machines become the attacker instead.

HTH

Jon