Seting up anti-spoofing!

[Lyecdevf]

I want to set up my router to prevent spoofing attacks but there is some thing that I do not understand exactly. I am working from a tutorial that I found on the net and I am going to repost a part of it here that I do not understand.

Code: Select all

* The IP specification includes provisions for private subnetworks

       that are designated for internal use only. There is no legitimate

       reason to route packets from these addresses anywhere in the

       general Internet infrastructure. (RFC1597) These address ranges

       include 10.*.*.*, 172.16-32.*.*, and 192.168.*.* (where *

       indicates any value from 0 through 255). No packets should be

       routed through the Internet with these addresses as either their

       source or their destination.

I can understand that I need to block all the following addresses coming from outside and are directed to my IP but what about blocing them from going out of my router. Would not this mean that I would block my self out?

[leetnigga]

The outgoing packets from your router will have your external IP address, not the internal ones so you won't block yourself. Filtering outgoing packets with internal IP addresses I suppose is to prevent malware or something from sending those kind of packets.

[Lyecdevf]

It does not work. I just tried it and it blocked me from the internet.

[bad_brain]

depends on in what state the router blocks the packets, if it's before the network address translation it'll block all outgoing packets.
imo there is no need to block those ranges for outgoing traffic, because if the purpose is to block outgoing malware traffic if the system is infected it is pretty pointless, the malware will use the already existing (private) IP address provided by the router and not create a virtual interface.

a better way than to block outgoing IPs would be to set the hostmask to 255.255.255.255 (usually it's 255.255.255.0), that way only 1 host is allowed in the network....if it's not working (Windows might be a little bitchy about that) use 255.255.255.252 (2 hosts).
make sure the subnet settings are the same on your box and on the router.

p.s. if you have multiple boxes in the network and you need more than 1 or 2 hosts allowed in the subnet have a look here:
http://en.wikipedia.org/wiki/Subnetwork
(under "Subnets and host count")

[DNR]

remember not to miss the forest for the tree.

Why not set up Host-based Firewalls on each of the machines on your lan?

Your first post, that range of IP was meant to help stop spoofing from the outside into a network- someone on the WWW cannot send a packet to you with those IP - it will get dropped at the first border router.

Normal convention is to match IPs with MAC addresses, the router/gateway verifies that the IP matches the MAC addy. As BB is saying not all routers are the same, some are dumber than others.

Filtering outgoing packets with internal IP addresses I suppose is to prevent malware or something from sending those kind of packets.

Close, but those IP ranges were agreed on to help setup private networks simply.
Class Start End
A 10.0.0.0 10.255.255.255
B 172.16.0.0 172.31.255.255
C 192.168.0.0 192.168.255.255

The Internet Assigned Numbers Authority (IANA) manages the IP address space allocations globally. IANA works in cooperation with five Regional Internet Registries (RIRs) to allocate IP address blocks to Local Internet Registries (Internet service providers) and other entities. -

RFC 1918 defines a number of IP blocks which were set aside by the American Registry of Internet Numbers (ARIN) for use as private addresses on private networks that are not directly connected to the Internet.

This was done back in the day before malware existed! They figured that poorly created private networks would be secure, because the Internet Border Routers were instructed to drop any 'leaky' private networks traffic. The IPs have to follow the rules of the IANA.
Imagine how funny If someone setup their network IP as 127.0.0.1?

DNR

[Lyecdevf]

Your first post, that range of IP was meant to help stop spoofing from the outside into a network- someone on the WWW cannot send a packet to you with those IP - it will get dropped at the first border router.

Are you saying that some one can not spoof there IP address to lets say 127.0.0.1 and try to get access to the internal network and later to my computer? I am not saying that I do not believe you. I believe that you are very wise when it comes to computing but allow me to post here a part of the tutorial that I was working from where it was suggested that we set up firewall rules that would prevent class A, B and C packets from entering the internal network and leaving to the WAN:

Code: Select all

* The IP address 127.0.0.1 is ONLY used for internal routing of

       packets from a host to itself. There is no legitimate IP datagram

       that should pass through a router or gateway with this as the

       source address. In fact, routing these packets is dangerous

       because they may be used to forge packets from the localhost which

       often has special privileges. A recent attack that causes denial

       of services involves sending a packet to a host's echo port with

       127.0.0.1 as its source address and the echo port as it's source

       port. The echo port causes whatever packet it is sent to be

       returned to its source. Since the source address is the same port

       on the same host, this packet creates an infinite loop which, in

       many cases, disables the computer.

Now I have pretty much finished adding firewall rules to prevent the following from entering and leaving:

A 10.0.0.0 10.255.255.255
B 172.16.0.0 172.31.255.255
C 192.168.0.0 192.168.255.255

Have I done right or does this serve no purpose at all?

[bad_brain]

oh, wait....you misunderstood me.
you can block all private IP ranges for incoming traffic, but for outgoing traffic you have to allow the range where your own private IP is in, on that range use the subnet setting as I told above...

[DNR]

Are you saying that some one can not spoof there IP address to lets say 127.0.0.1 and try to get access to the internal network and later to my computer?

Lets use a better example. 127.0.0.1 was a bad example as that is the loopback. Lets say we use the 192.168.1.1 - that is a known IP for a webinterface on wifi routers. If you enter that into your trace router, ping, or browser - and pass it on to the internet - the internet border routers will immediately drop that packet due to the IP being on the IANA special list of not-acceptable IP range for the WWW.

Why?
The Border Gateway Protocol (BGP) is the core routing protocol of the Internet. It maintains a table of IP networks or 'prefixes' which designate network reachability among 'private networks'. As soon as it sees 10.10.1.1 or 192. or 172. etc the packet is immediatly dropped.

So if you numbered all your computers 192.168.1.2- 192.168.1.255, someone cannot access those numbers via the Internet - they can only access those IPs if they are inside the LAN that is using those IPs.

How?
From a wardriver's perspective - all I have to do is connect to your unsecured network via the wifi AP. Once attached to the LAN, I can then ping or sniff those internal IPs - because now my request is being passed inside the LAN, not from the Internet routers. I can also spoof myself as one of those internal IPs, by sniffing the MAC for that IP and copy it. As long as you prevent unauthorized users from attaching to your network, they can't do this. You can also limit file sharing between computers, and block access from other internal computers with a Host-based Firewall.

Lacking a unsecured wifi AP, you can also sneak into the physical building and just plug your laptop into their cabled network. Lacking physical access, you try to get someone on the internal network to install a RAT.

Some routers are classed as "residental" because they do not have all the features of a 'business' router.

Now I have pretty much finished adding firewall rules to prevent the following from entering and leaving:

A 10.0.0.0 10.255.255.255
B 172.16.0.0 172.31.255.255
C 192.168.0.0 192.168.255.255

The Border Routers for the Internet will not accept any IPs in these ranges anyways. So this takes care of setting rules to prevent them from accessing the WWW (don't have to worry about it). Internally you want to pick one of those IP ranges for your network, and not worry about the other ranges. It is not possible for the above IP ranges to enter your network from the Internet.
It was suggested that for small networks you use 192.168.0.0, but you can use 10.0.0.1 if you wanted to - its the same thing to the Internet Border Routers - a special IP to be dropped.

No harm in asking for clarification man, if I am considered authority, then "question authority' still applies.

DNR

[Lyecdevf]

The Border Gateway Protocol (BGP) is the core routing protocol of the Internet. It maintains a table of IP networks or 'prefixes' which designate network reachability among 'private networks'. As soon as it sees 10.10.1.1 or 192. or 172. etc the packet is immediatly dropped.

I have heard that attackers try to get an internet connection with as little hops as possible to the target. Would that mean that they are trying to avoid the BGP?

[DNR]

They would set static routing by tunnelling through other compromised machines. This helps because when they play man-in-the-middle they need to control the timing for the packets sent to the target.

The internet is one big mesh now - you could hop from one state or one country to another through someone else's network - like say Toyota - you hop on their network in USA, tunnel with their network to Japan, and then hop off to another network.

DNR