UDP packet spoofed LAN source address?
freebsd-questions at pp.dyndns.biz
Sun Oct 17 14:06:17 UTC 2010
On 2010-10-17 06:56, Nerius Landys wrote:
> This is really more of a networking question.
> I'm wondering, in a typical scenario, for example my server is in a data
> center with a typical colocation company.
> I am editing someone else's code, and this code handles incoming UDP
> packets. The code handles UDP packets that have a source address being from
> the LAN differently. It gives those packets special treatment. To check
> whether a source address is a LAN address, it does the typical checks for
> 10.0.0.0, 172.16.0.0, 192.168.0.0, 127.0.0.0, and it also checks every
> assinged IP address with netmask to see if the source address on the UDP
> packet came from that network.
> My question is - how possible (in these typical environments) is it to send
> a UDP packet from far away that claims to have a source address being a LAN
> address? Will such a packet typically make it to my server, or will a
> router along the way stop it from arriving?
> Maybe, is there a simple 10 line C program that I can run and compile to
> check if this scenario is possible on _my_ server?
> - Nerius
Section 3 of RFC1918 (http://www.ietf.org/rfc/rfc1918.txt) states the
following, and I quote:
"Routers in networks not using private address space, especially those
of Internet service providers, are expected to be configured to reject
(filter out) routing information about private networks."
This makes it _highly_ unlikely that your server will be hit by spoofed
packets with a source address belonging to any of those private IP
ranges. However, if your data center use some of these addresses
internally, their internal routers will still forward such packages
making your server vulnerable for spoofed packages emanating from
another server within the same data center.
If, on the other hand, they're using public IP ranges internally,
there's also the possibility that your server could be hit by a spoofed
packet using an address from one of those internal nets as its source
address. This could possibly result in a DoS attack against the poor
server that IP address really belongs to. It's up to your data center's
firewall to block those packets. It should _never_ pass any packet
coming from the outside with a source address belonging to any network
on the inside, since they're obviously spoofed. A professional data
center should already have taken care of this but you need to ask them
to make sure.
More information about the freebsd-questions