From: lumpi@dobag.in-berlin.de (Joern Lubkoll) Newsgroups: comp.security.unix Subject: Re: Faking IP-Address & Number Date: 8 Mar 1994 03:14:34 +0100 dierk@theoris.rz.uni-konstanz.de (Dierk Lucyga) writes: >Lately I read something about faking IP-Numbers and/or addresses. >I know it is not too difficult to fool sendmail, but what about other >services? I don't want to know *how* to do it (as I most probably wouldn't >understand it), but if it is *possible*. it is possible. If you have physical access to the network you can simply connect a portable system (notebook or alike) and give it the address you want. On some workstations (brand not given - you know why) you can even alter the ethernet address with a simple program (no, i wont hand it out). Most systems will complain with 'duplicate ip-address' but they will continue to acceppt your packets. this has been tested on a large network of ~400 workstations. It works well and there is no known workaround (at least on that brand of systems - others may have other algorhythms for checking ip and ethernet address but i doubt that any system available on the market is able to get around that problem. same applies to fiber optic networks etc. The conclusion is not to give physical access to a network and/or not to give a possibility to become root on a system whose ethernet address can be changed by software. Workaround: Give the servers an brigde/router-isolated network which does not allow packets to be transferred from outside with ip-addresses from within the secure network. Don't allow physical access to the network cables of the secure part. That bridge/router may be considered some sort of firewall for the systems whose data that has to be secure. jl -- How could she ever understand that there isn't any way I could be disappointed since I no longer find anything worth looking forward to ? "American Psycho", Brett Easton Ellis ------------------------------------------------------------------------------ Newsgroups: comp.security.unix From: greulich@math-stat.unibe.ch (Andreas Greulich) Subject: Re: Faking IP-Address & Number Date: Tue, 8 Mar 1994 12:32:31 GMT In article <2lgn2a$dbq@dobag.dobag.de>, lumpi@dobag.in-berlin.de (Joern Lubkoll) writes: |> On some workstations (brand not given - you know why) you can even alter the |> ethernet address with a simple program (no, i wont hand it out). Most |> systems will complain with 'duplicate ip-address' but they will continue |> to acceppt your packets. You don't even have to change the ethernet address. For example, if you use a sun and have access to the nit interface, you can send out any ip packet and set any IP address you want as source. The only problem is, if you do that with a remote host, then you won't get any packets back. It still can be used trying to send a host an rsh command and pretending to be from a trusted host, as you don't need any replies, you're just interested in the side effect. The only "security" are the sequence numbers, which can be guessed usually, and the fact that the "real" source machine will usually send a reset packet, but this machine can be flooded to prevent the reset packet. This all is described in a famous paper (by morris and.. I don't remember the other name), and there were discussions about it on comp.protocols.tcpip (or similar), and probably also here. The only workaround I think are routers that don't allow incoming packets that pretend to be from local hosts. I think such exist already, but are not very common. A.Greulich -------------------------------------------------------------------------- From: wolff@tardis.et.tudelft.nl (Rogier Wolff) Newsgroups: comp.security.unix Subject: Re: Faking IP-Address & Number Date: 8 Mar 1994 16:07:03 GMT Dierk Lucyga (dierk@theoris.rz.uni-konstanz.de) wrote: : Lately I read something about faking IP-Numbers and/or addresses. : I know it is not too difficult to fool sendmail, but what about other : services? I don't want to know *how* to do it (as I most probably wouldn't : understand it), but if it is *possible*. Easiest way to do it is to configure a host to another IP address. (just as you do when you first configure it...) The "legit" host (the one you are impersonating) will complain about duplicate IP addresses. Make sure the host you are attacking doesn't have the host you are pretending to be in its arp cache. It will then perform an ARP call. Usually (in my experience) the impersonating machine gets there first, and the impersonated machine starts bloating "duplicate IP address from ethernet address xxxxxxxxxxx". At this moment the attacked machine completely trusts you, and the impersonated machine is immobilized. Roger. -- * Not that I have tested it - I just wrote the code and hope it works. * * "Real programmers" don't test: they assume it works the first time, * * and anyway, what do you think beta-testers are for? -Linus Torvalds * EMail: wolff@dutecai.et.tudelft.nl ** Tel +31-15-783643 or +31-15-142371 -------------------------------------------------------------------------- Newsgroups: comp.security.unix From: cjc@ulysses.att.com (Chris Calabrese) Subject: Re: Faking IP-Address & Number Date: Wed, 9 Mar 1994 16:37:30 GMT In article <2lghbh$e40@galaxy.ucr.edu>, datadec@ucrengr.ucr.edu (Kevin Marcus) writes: |> In article <2lgblk$lvc@hermes.uni-konstanz.de>, |> Dierk Lucyga wrote: |> >Lately I read something about faking IP-Numbers and/or addresses. |> >I know it is not too difficult to fool sendmail, but what about other |> >services? I don't want to know *how* to do it (as I most probably wouldn't |> >understand it), but if it is *possible*. |> |> I have heard a bit of talk about this lately, too. I figure, it's gotta |> show up somewhere, say, netstat, or else how would, say, telnet know where |> to send the packets? It'd end up beign a one way communication. |> |> I do want to know how something like that would be done. I won't go into the details of _how_ you fake an IP address (though it's pretty simple if you think about it), but I will address the issue of when it works and when it doesn't and why. First let's talk about packets going from the imposter (call it 'imposter'), to an other host (call it 'other'). I'll call the real host 'real'. If 'imposter', 'other', and 'real' are on the same network, 'other' may have 'real's ethernet-address cached and notice that 'imposter' is sending the wrong address (though not all IP implementations catch this). Similar things may happen if 'real' and 'other' are on one sub-net, and 'imposter' is coming through a gateway/router/whatever, or if 'imposter' and 'real' are on the same net, and go through a gateway/router/whatever to get to 'other'. This all assume that the attacker is'nt burning his/her own PROMS to set the address on their eithernet card. None of the above is true, this ethernet-address-based method won't work, leaving only alternatives which require some other form of authentication such as: routing-based authentication (I don't know of any system that does this, though it should be possible to a limited extent - yes I know that packets are not guaranteed to take the same path in IP, but if one has a hop-count of 2, and another 200...) key-based authentication shemes like Kerberos, RSA, digital signature standard, etc. This is very rarely done, and certainly doesn't help standard ftp/rlogin/rsh/sendmail/telnet/etc servers. As for the reverse trip (you _need_ two way communication for all TCP based services, and for many RPC based ones too), things are mostly pretty similar, but you have a little better chance that some address/routing caches might try sending to the real address/route on the return trip. Summary: The standard rsh/rlogin/etc protocols are inherently insecure, and physical security (along with firewalls) should be used. Anyone with the root password on a workstation can break into anything on your network that allows rsh. I've seen it done. It's not even difficult. Telnet and ftp are ok because they don't rely on host-based authentication (though hand-held authenticators could be a good thing for telnet/ftp sessions coming through your firewall). smtp is easy to spoof and to use to fill the filesystem containing the mail files, but you can't use it to break in. the security of sendmail, on the other hand, is a bug, not a feature. DISCLAIMER: I'm just ramblin'. Don't take any of this as the one true opinion. Especially don't take it as the one true opinion of my past/present/future employers/collegues/family-members/pets (in fact, it may not even by my opinion by the time I get your flame). -- Name: Christopher J. Calabrese Brain loaned to: AT&T Bell Laboratories, Murray Hill, NJ cjc@ulysses.att.com (before 4/1) Soon to be: Novell UNIX Systems Group, Summit, NJ cjc@summit.novell.com (after 3/12) ------------------------------------------------------------------------- Newsgroups: comp.security.unix From: smb@research.att.com (Steven Bellovin) Subject: Re: Faking IP-Address & Number Date: Thu, 10 Mar 1994 15:15:20 GMT Yes, it's possible to fake an IP source address, though it isn't always easy. Folks might want to look at a paper I published in the April '89 issue of Computer Communications Review. It's available for ftp from research.att.com as dist/internet_security/ipext.ps.Z. --Steve Bellovin