North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: address spoofing

  • From: Danny McPherson
  • Date: Thu Apr 22 18:34:43 1999 
Perhaps ICMP Fragmentation Needed, and more frequently, ICMP Unreachables and 
Time-Exceeded or the like coming from private addressed devices.   I'd wager 
that if you modified your filters to differentiate ICMP and IP, it'd heavily 
lean towards ICMP error type stuff...

-danny


> first, apologies for bringing up an operational issue.
> 
> a long while back, i noticed my border filters were showing incoming
> packets from 1918 addresses and my own address blocks.  i wrote this off
> to anomalies and did not have the time to pursue.
> 
> yesterday, i happened to notice it again.  i described it on an internal
> mailing list.  other folk looked at their filters, and lo and behold, it
> is a widespread problem.
> 
> fyi, my filter looks like the following:
> 
>     ! what we allow to come in the serials from the world
>     no access-list 105
>     ! PSGnet
>     access-list 105 deny ip  147.28.0.0    0.0.255.255   any
>     access-list 105 deny ip  192.83.230.0  0.0.0.255     any
>     access-list 105 deny ip  198.133.206.0 0.0.0.255     any
>     ! rfc1918
>     access-list 105 deny ip  127.0.0.1     0.255.255.255 any
>     access-list 105 deny ip  10.0.0.0      0.255.255.255 any
>     access-list 105 deny ip  172.16.0.0    0.15.255.255  any
>     access-list 105 deny ip  192.168.0.0   0.0.255.255   any
>     ! block portmapper and nfsd attacks
>     access-list 105 deny udp any                         any    eq sunrpc
>     access-list 105 deny tcp any                         any    eq 2049
>     ! block samba                                               
>     access-list 105 deny tcp any                         any    eq 137
>     access-list 105 deny tcp any                         any    eq 138
>     access-list 105 deny tcp any                         any    eq 139
>     !
>     ! some other stuff
>     ! allow all others
>     access-list 105 permit ip  any                       any
> 
> the results of 30 hours of running are
> 
>     deny ip 147.28.0.0 0.0.255.255 any (6 matches)
>     deny ip 192.83.230.0 0.0.0.255 any
>     deny ip 198.133.206.0 0.0.0.255 any
>     deny ip 127.0.0.0 0.255.255.255 any (375 matches)
>     deny ip 10.0.0.0 0.255.255.255 any (593 matches)
>     deny ip 172.16.0.0 0.15.255.255 any (201 matches)
>     deny ip 192.168.0.0 0.0.255.255 any (769 matches)
>     deny udp any any eq sunrpc (9 matches)
>     deny tcp any any eq 2049 (494 matches)
>     deny tcp any any eq 137
>     deny tcp any any eq 138
>     deny tcp any any eq 139
>     permit ip any any (9467763 matches)
> 
> when we tried it on routers in different parts of the network, it seemed
> to show similar patterns.
> 
> anyone have clues other than net slime and misconfigured nats?
> 
> randy
>