North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

address spoofing

  • From: Randy Bush
  • Date: Thu Apr 22 18:19:19 1999 
first, apologies for bringing up an operational issue.

a long while back, i noticed my border filters were showing incoming
packets from 1918 addresses and my own address blocks.  i wrote this off
to anomalies and did not have the time to pursue.

yesterday, i happened to notice it again.  i described it on an internal
mailing list.  other folk looked at their filters, and lo and behold, it
is a widespread problem.

fyi, my filter looks like the following:

    ! what we allow to come in the serials from the world
    no access-list 105
    ! PSGnet
    access-list 105 deny ip  147.28.0.0    0.0.255.255   any
    access-list 105 deny ip  192.83.230.0  0.0.0.255     any
    access-list 105 deny ip  198.133.206.0 0.0.0.255     any
    ! rfc1918
    access-list 105 deny ip  127.0.0.1     0.255.255.255 any
    access-list 105 deny ip  10.0.0.0      0.255.255.255 any
    access-list 105 deny ip  172.16.0.0    0.15.255.255  any
    access-list 105 deny ip  192.168.0.0   0.0.255.255   any
    ! block portmapper and nfsd attacks
    access-list 105 deny udp any                         any    eq sunrpc
    access-list 105 deny tcp any                         any    eq 2049
    ! block samba                                               
    access-list 105 deny tcp any                         any    eq 137
    access-list 105 deny tcp any                         any    eq 138
    access-list 105 deny tcp any                         any    eq 139
    !
    ! some other stuff
    ! allow all others
    access-list 105 permit ip  any                       any

the results of 30 hours of running are

    deny ip 147.28.0.0 0.0.255.255 any (6 matches)
    deny ip 192.83.230.0 0.0.0.255 any
    deny ip 198.133.206.0 0.0.0.255 any
    deny ip 127.0.0.0 0.255.255.255 any (375 matches)
    deny ip 10.0.0.0 0.255.255.255 any (593 matches)
    deny ip 172.16.0.0 0.15.255.255 any (201 matches)
    deny ip 192.168.0.0 0.0.255.255 any (769 matches)
    deny udp any any eq sunrpc (9 matches)
    deny tcp any any eq 2049 (494 matches)
    deny tcp any any eq 137
    deny tcp any any eq 138
    deny tcp any any eq 139
    permit ip any any (9467763 matches)

when we tried it on routers in different parts of the network, it seemed
to show similar patterns.

anyone have clues other than net slime and misconfigured nats?

randy