Re: [EXIM] IP spoofing

Top Page
Delete this message
Reply to this message
Author: Malcolm Ray
Date:  
To: Marilyn Davis
CC: exim-users
Subject: Re: [EXIM] IP spoofing
>
> Hello again.
>
> I was told in private email that the real intent of my earlier message
> was not clear.
>
> I need to understand IP spoofing. I understand that it is the general
> consensus that it can be done, but how. Don't you have to reveal your
> real IP address to get a message out?


Imagine host badguy.example.com (real IP address 192.168.1.2) trying to
communicate with one of your hosts while masquerading as goodguy.example.net
(real IP address 172.16.3.4). It will have no difficulty generating IP
datagrams containing the source address 172.16.3.4, and these will reach
your system ok (IP routing will take care of that). But how can the datagrams
forming the other half of the conversation get back to badguy.example.com?
Surely they'll go to goodguy.example.net instead? This is where IP source
routing comes in. Every IP datagram contains zero or more 'options'; two
of the available options allow the sender to specify the route the datagram
will follow (rather than letting intermediate routers decide), with the
expectation that datagrams sent in response will follow the same route
back. Thus it's possible to steal someone else's IP address and still
get packets back and forth.

Because source routing is so easily abused, most routers, firewalls, operating
systems, and even some applications (like exim) can be configured to drop
source routed traffic. If your router to the outside world isn't already
so configured, reconfigure it (there's rarely a legitimate need for source
routing).

In the absence of source routing, IP spoofing is harder, but it can sometimes
still be achieved, using 'TCP sequence number prediction'. This is a cute
trick, since it involves badguy.example.com carrying on a conversation with
you even though he can't hear your replies! Tsutomu Shimomura wrote an
excellent analysis of such an attack, available at various places, including:

http://weedo.blackout.org/Files/Texts/%20M/MoreMitnick.txt

Other reading:

RFC1948 Defending against sequence number attacks
CERT Advisories CA-95.01 and CA-96.21

ObExim: should exim really worry about this? IMO it ought to leave blocking
source routed stuff to the OS and/or network infrastructure.

-- 
Malcolm Ray                           University of London Computer Centre




--
*** Exim information can be found at http://www.exim.org/ ***