UDP packet spoofed LAN source address?
Ian Smith
smithi at nimnet.asn.au
Sun Oct 17 16:01:42 UTC 2010
In freebsd-questions Digest, Vol 332, Issue 11, Message: 15
On Sat, 16 Oct 2010 21:56:52 -0700 Nerius Landys <nlandys at gmail.com> wrote:
> This is really more of a networking question.
> I'm wondering, in a typical scenario, for example my server is in a data
> center with a typical colocation company.
>
> I am editing someone else's code, and this code handles incoming UDP
> packets. The code handles UDP packets that have a source address being from
> the LAN differently. It gives those packets special treatment. To check
> whether a source address is a LAN address, it does the typical checks for
> 10.0.0.0, 172.16.0.0, 192.168.0.0, 127.0.0.0, and it also checks every
> assinged IP address with netmask to see if the source address on the UDP
> packet came from that network.
>
> My question is - how possible (in these typical environments) is it to send
> a UDP packet from far away that claims to have a source address being a LAN
> address? Will such a packet typically make it to my server, or will a
> router along the way stop it from arriving?
Very possible, yes, and usually not. IP routes by destination address.
Forged source addresses are common for the likes of DNS amplification
attacks, where you (in your thousands :) will reply to the supplied
source address, which is probably the _victim_ of the attack. You may
even complain to the admin of victim-net, compounding the mischief.
OTOH, forged local (eg RFC1918) source addresses are presumably either
designed to target likely LAN addresses, or - probably as commonly -
just incorrectly configured NAT setup on the source. Bad either way.
> Maybe, is there a simple 10 line C program that I can run and compile to
> check if this scenario is possible on _my_ server?
This is a job for your firewall, which needs imlicit or explicit rules
to drop spoofed packets, ie here packets with local addresses arriving
on the wrong (outside) interface, or for that matter, any response or
originating packets having such source addresses leaving your system on
its outside interface. See /etc/rc.firewall for ipfw(8) examples.
Of course your application can double-check, but if your firewall is
correctly configured, the application should never see such packets.
cheers, Ian
More information about the freebsd-questions
mailing list