Source route is an option in the IP header that allows the sender to override some or
all of the routing decisions. Normally, routers between the source and destination decide
how to route the packet. There are a couple of network management uses of this packet,
such as testing to see if two computers can talk to each other. A network manager at point
A may send a packet to B through point C. This tells A if B & C can talk to each
other.
The same technique can be used to evade firewalls, subvert trust relationships, and
communicate with machines using "private" address (10.x.x.x, 192.168.x.x,
172.[16-31].x.x).
Let's say you are a hacker/cracker on the Internet and you want to talk to some
machines behind a firewall who use 10.x.x.xcker/cracker on the Internet and you want to talk to some
machines behind a firewall who use 10.x.x.x as their IP addresses. Since the routers on
the Internet do not know where this subnet is located, they will drop your packets.
However, you put a loose source route option in the IP packet and tell all the Internet
routers to first forward to the firewall. Since the firewall straddles both the Internet
and the private network, it will know how to forward the packet appropriately. Thus, you
can carry on a conversation with the victim by bouncing all packets through the firewall.
This can be used with IP spoofing. You pretend to be a router (like the firewall
mentioned above) and pretend that somebody else is bouncing packets through you. Thus,
pick some random machine on the Internet (ALICE) as the spoofee, then send packets from
ALICE to your victim BOB. BOB will think the packets are coming from ALICE, but in reality
they are coming from you. This masks the real source of the attack.
This is even better if you know that BOB trusts ALICE. IP addresses are often used as
part of authentication. Let's say the firewall has a rule allowing all traffic from ALICE
into the network. By forging all IP packets to be from ALICE (but being source routed
through your own machine), then you get free access to the victim network.
More and more core Internet routers are disabling source routed packets. They slow down
routing anyway, but they are a huge security risk. There is also no real need for them.
Managers should do the same and disable source routing everywhere: on firewalls, on
routers, and even on end-nodes so that they won't even accept incoming source routed
packets.
See Microsoft Knowledge Base article Q217336 for setting the "DisableIPSourceRouting"
on WinNT SP5 systems
3.2 I'm seeing the IP address 255.255.255.255
in my reject log
This is happening a lot these days as more and more people use DSL or cable-modem
connections. The reason is that unlike point-to-point connections (like T-1, frame relay,
etc.), these new high-speed technologies drop you onto an ATM VLAN, which is a single
broadcast domains. In fact, many cable-modem users are seeing multiple megabytes of
traffic per day simply from such broadcasts. You must remember that such packets MUST
be local. Routers (generally) refuse to forward packets with the IP address of
255.255.255.255. This address is known as a "local broadcast" for this reason:
it never travels past the local segment (or these days, the local "virtual"
segment).
What are these packets for?
Check the list of ports at the top of this document. If it is not listed there, then
the only way to figure this out is to capture them with a sniffer and view their
contents.
For example, a common service that runs with a random port number is CORBA IIOP
packets. Many services run at port 535, but it is
frequently reconfigured to broadcast on other ports. If you look at the hex dump in the
sniffer, you will see the letters "IIOP" somewhere in the contents.
In any case, this is rarely something to be concerned about. In fact, it advertises
something about the person sending the traffic that can be used to hack them. Hackers
rarely attack their own neighborhoods (because it is easy to detect), so it probably is
accidental, not malicious.
It should be noted that with today's ATM networks, the source of the broadcast may not
even be in the same state as you are; they may be hundreds of miles away. The word
"local" means in terms of the network topology, not distance.
3.3 How do I track down the owner of an IP address?
Remember that IP addresses can be spoofed, so that the "owner" of an IP
address may be innocent. Increasingly, attacks are coming from compromised machines. The
owner of the IP may actually be grateful! Both of these statements come to the same
conclusion: be polite and professional. Many companies have established the e-mail
address "abuse@example.com" (replace "example" with the proper
company). This e-mail role is for both e-mail abuse (such as spam) as well as for network
abuse. When you find the owner of the IP address, you should probably compose a message
including the evidence of the attack.
Registrar Databases
In the past, all the IP address owners were kept by the Internic. A database built from
that information is at http://ipindex.dragonstar.net/.
There are now 3 official registrars for North America, Asia, and Europe. Unfortunately,
you will have to query each individual database. However, if you start with the North
America registrar, it will tell you if the address belongs to one of the other three. Warning:
The returned information is fragile; so don't send flames to these people because you have
only about 30% chance of reaching the right people.
traceroute
Running traceroute will often find at least the ISP who is hosting the IP address. A
reverse DNS lookup on the actual IP address is easy to spoof, but the route to the machine
will reveal who is hosting the possible intruder.
Common IP addresses
Many attacks are now coming from cable-modem subscribers in the 24.x.x.x range. These
are probably from machines who have been compromised by a Remote Access Trojan (RAT).
(While hackers/crackers frequently use dial-up lines because they don't care if their
account gets canceled, few users want to have their cable-modem accounts canceled).
Another important range is the "private address" ranges of 10.x.x.x,
192.168.x.x, and 172.16.x.x-172.31.x.x. See 3.4 below.
Addresses like 127.x.x.x indicate "localhost" and should never be seen on the
Internet.
The address range 192.0.2.x has been designated for "examples", like
"example.com".
3.4 I'm seeing packets from "private" addresses (10.x.x.x
et al.) on the Internet side of my firewall
The "private address" ranges are 10.x.x.x, 192.168.x.x, and
172.16.x.x-172.31.x.x. I've been seeing these in three cases:
- traceroutes
- Core routers on the Internet are increasingly being assigned IP address in this range.
There is really no need for a router to be reached from the Internet. The
"forwarding" function really is independent from "sending/receiving"
packets. When a router drops a packet and sends back a "ICMP TTL Exceeded"
message, it will use the private address. Note that some routers are multi-homed with both
private and non-private addresses. Other routers have only private addresses.
- cable-modem, DSL
- Most cable-modem and DSL connections are on virtual LANs over ATM. You will often see
broadcast packets from neighboring machines with these private addresses.
- hackers
- Very rarely, you may see an address from a hackers who are spoofing addresses in this
range.
3.5 What kind of scans should I expect to see from quasi-legitimate
sources?
You will often see scans from somewhat legitimate sources. What I mean by this is that
people will scan you without the intention of actually hacking you. For example, search
engines will index your site, but it isn't an attack.
- Doubleclick
- Sends echos to
people in order to redirect them to a nearer server for their advertising.
- http://www.cyveillance.com/response1.html
- Scans websites looking for illegal activities, such as copyrighted items.
3.6 I'm seeing source IP address of 0.0.0.0?
If the port is also 0, then this is probably an attempt to fingerprint your
system.
3.7 What are directed broadcasts and what do they mean?
TODO:
- Often indicate people scanning your subnet
- Hackers looking for smurf amplifiers
3.8 I'm seeing strange addresses like 169.254.x.x?
From a draft
document on auto-configuration of IP addresses when DHCP fails: Once a DHCP Client has determined it must auto-configure an IP
address, it chooses an address. The algorithm for choosing an
address is implementation dependant. The address range to use MUST
be "169.254/16", which is registered with the IANA as the LINKLOCAL
net.
This only happens when the normal DHCP process fails.
This new technique was introduced with Microsoft Win98 and Apple MacOS 8.5.
Also see: http://www.performancecomputing.com/columns/daemons/9907.shtml