Re: Ip spoof from 0.0.0.0

Here are a number of speculative situations where spoofing packets from 0.0.0.0 would be useful to an attacker:

• Finding hosts on a local subnet with a different default route via another interface, like a vpn. (the machines that don't respond are either filtering the port, or sending the response out the other interface)
• Finding really old machines that respond to this as a broadcast.
• Making the machines send acks or icmp port unreachable messages to their routers. (send a syn, get an icmp msg in reply, kind of a DoS, albeit sort of a limited one)
• A passive spoofed portscan with the attacker on the local segment watching the response packets go out to the default router.
• I also wonder if these packets get routed by routing gear, and if not, do they send icmp packets back, and if so where do they send them?

Here is some handwavy speculation, but it might be kinda cool.

  If a host responds to the syn packet sourced from 0.0.0.0 with an ack,   it goes to the router either with the destination IP address rewritten   with the default route addr of the host, or preserved as 0.0.0.0. The   router could either forward it until it hits something without a default   route or its ttl expires, or send back an unreachable message to the   host, which would indicate to a listening attacker whether default   routing was in use, or if traffic was taking a different path down the   road.

  That's interesting. I bet you could use this detect if traffic   from a local host was taking a different route to the Internet.

  That's pretty handy if you want to see if your traffic is getting   re-routed or worse, re-directed through a tunnel. What happens is   that while you are on a host on the subnet, you spoof a SYN from   0.0.0.0 to an adjacent host (a.a.a.a). a.a.a.a responds with an ack   to 0.0.0.0, which is its default router, but with a legitimate source.

  If the router forwards it as 0.0.0.0, any router that drops it will   send an unreachable icmp back to a.a.a.a. You watch that icmp message   go by and decide whether it came from a legitimate router. However,   lets say traffic from that host is getting re-routed:

  If the device handling the redirected traffic recieves the ack from   a.a.a.a, it should either drop the packet and send an icmp unreachable,   or send an RST if it has services open on it.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

  It's all a very round-about way of doing things, but at least there are   some reasons why one could imagine these packets as being hostile.

Cheers,   

On Wed, 6 Nov 2002, Nexus wrote:

:Date: Wed, 6 Nov 2002 23:53:10 -0000
:From: Nexus <nexus@patrol.i-way.co.uk>
:To: Frank Cheong <chocobofrank@hotmail.com>,
: Paul Gillingwater <paul@lanifex.com>
:Cc: incidents@securityfocus.com
:Subject: Re: Ip spoof from 0.0.0.0
:
:
:----- Original Message -----

-- 
batz


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com