[23764] in North American Network Operators' Group
Re: address spoofing
daemon@ATHENA.MIT.EDU (Danny McPherson)
Thu Apr 22 18:32:41 1999
To: nanog@merit.edu
From: Danny McPherson <danny@qwest.net>
Reply-To: danny@ice.ip.qwest.net
Date: Thu, 22 Apr 1999 16:32:08 -0600
Errors-To: owner-nanog-outgoing@merit.edu
Perhaps ICMP Fragmentation Needed, and more frequently, ICMP Unreachables and
Time-Exceeded or the like coming from private addressed devices. I'd wager
that if you modified your filters to differentiate ICMP and IP, it'd heavily
lean towards ICMP error type stuff...
-danny
> first, apologies for bringing up an operational issue.
>
> a long while back, i noticed my border filters were showing incoming
> packets from 1918 addresses and my own address blocks. i wrote this off
> to anomalies and did not have the time to pursue.
>
> yesterday, i happened to notice it again. i described it on an internal
> mailing list. other folk looked at their filters, and lo and behold, it
> is a widespread problem.
>
> fyi, my filter looks like the following:
>
> ! what we allow to come in the serials from the world
> no access-list 105
> ! PSGnet
> access-list 105 deny ip 147.28.0.0 0.0.255.255 any
> access-list 105 deny ip 192.83.230.0 0.0.0.255 any
> access-list 105 deny ip 198.133.206.0 0.0.0.255 any
> ! rfc1918
> access-list 105 deny ip 127.0.0.1 0.255.255.255 any
> access-list 105 deny ip 10.0.0.0 0.255.255.255 any
> access-list 105 deny ip 172.16.0.0 0.15.255.255 any
> access-list 105 deny ip 192.168.0.0 0.0.255.255 any
> ! block portmapper and nfsd attacks
> access-list 105 deny udp any any eq sunrpc
> access-list 105 deny tcp any any eq 2049
> ! block samba
> access-list 105 deny tcp any any eq 137
> access-list 105 deny tcp any any eq 138
> access-list 105 deny tcp any any eq 139
> !
> ! some other stuff
> ! allow all others
> access-list 105 permit ip any any
>
> the results of 30 hours of running are
>
> deny ip 147.28.0.0 0.0.255.255 any (6 matches)
> deny ip 192.83.230.0 0.0.0.255 any
> deny ip 198.133.206.0 0.0.0.255 any
> deny ip 127.0.0.0 0.255.255.255 any (375 matches)
> deny ip 10.0.0.0 0.255.255.255 any (593 matches)
> deny ip 172.16.0.0 0.15.255.255 any (201 matches)
> deny ip 192.168.0.0 0.0.255.255 any (769 matches)
> deny udp any any eq sunrpc (9 matches)
> deny tcp any any eq 2049 (494 matches)
> deny tcp any any eq 137
> deny tcp any any eq 138
> deny tcp any any eq 139
> permit ip any any (9467763 matches)
>
> when we tried it on routers in different parts of the network, it seemed
> to show similar patterns.
>
> anyone have clues other than net slime and misconfigured nats?
>
> randy
>
