BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
 ·Verizon FIOS
 ·Verizon Online DSL
| Preventing IP spoofing of the localhost
Instead of using the standard 127.0.0.1 address, using a mask of 127.0.0.0/255.0.0.0 provides connectivity for the localhost loopback while not allowing packets to be spoofed from 127.0.0.1 on the internet.
What could happen is, someone could spoof the common localhost address for messenger spam, and it would get through...
UDP (fake)127.0.0.1:1234 -> Your.IP: 1026
or even....
UDP (fake)127.0.0.1:1234 -> Your.IP: 135
It would be a one way packet only, but it sure would get the spam through using a standard loopback rule. You likely would never know how it happened...
Then you just follow it up with a inbound block rule for 127.0.0.1 
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| I had a thought about proxy configurations, so if you need to accept inbound communications from that port that wasn't included in the rule, you can do this.
You allow everything inbound from 127.0.0.0/255.0.0.0, but leave out the software proxy port for the outbound rule.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
[text was edited by author 2003-09-27 21:53:04] |
|
NJH
@ntli.net
| Can you please explain how this works?
I thought that allowing anything from 127.0.0.0/255.0.0.0 meant that anything from all addresses starting 127 i.e. 127.0.0.0 -> 127.255.255.255 would be allowed. This means your first rule would have allowed anything from 127.0.0.1 before your last rule would get a chance to block it.
If I have misunderstood how the first rule works, please can clarify it for me. |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| You are incorrect, when you use a mask setting you control things via which subnet they are on, and you can't fake the subnet where the packet came from.
The localhost loopback is on subnet 255.0.0.0, and unless you setup a home network on that range using that subnet, nothing else will be using it besides your localhost loopback.
Your internet connections are usually on the subnet 255.255.255.255, and if you have a lan that subnet usually is 255.255.255.0
So you allow 127.0.0.0/255.0.0.0, and then block the straight the ip address of 127.0.0.1 since you already have allowed the communication you need. When you use the address only it will consider all subnets for that packet.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
[text was edited by author 2003-09-28 08:37:59] |
|
scamperdude
join:2002-02-04
Coleman, AB
| reply to NJH
hi blitzenzeus , i think i have a grasp on this anti spoofing... maybe ! by putting in the mask instead of 127.0.0.1 a spoofer must spoof the mask instead of just the 127.0.0.1 ? ok so here is my question, i am trying out this rule adaptation i am wondering since i am still getting requests for my programs to connect to 127.0.0.1 port 8080 {using Proxomatron} , do i need to write rules for the programs to use this mask address as well... other wise who am i stopping from spoofing ? maybe i dont understand |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| You can't spoof the subnet mask, that is part of that connection, and that is why this works. You allow the mask of the subnet it resides on, and block the rest.
Yes, you need to make a rule for each program you want to have access to proxo on 127.0.0.1:8080 since your trying to secure access to your proxy, but you don't have to use the mask in that rule. All outbound to 127.0.0.1 always goes to your localhost loopback, but you can use the mask in the rule if you want to.
This thread goes on more about software proxy configurations
»[Kerio] Generic Rule Set for Kerio (Proxy and no Proxy)
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
[text was edited by author 2003-09-28 19:08:13] |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| The easiest way to stop spoofing is to only allow access OUT to Loopback. It was recently mentioned in the Yahoo group that Loopback only requires Outbound connections and I believe this is correct.
I'm not sure I understand how specifying the subnet mask works to stop spoofing.
--
Dog and Butterfly |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| I've actually come across a couple programs that send out of the localhost for replies back to the communicating program, but not in the same connection outbound communication to the localhost so the second connection was started by the program on the localhost. However its true most programs don't operate this way on the localhost.
In those cases you could easily just allow it inbound when you have to when using an outbound only rule.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. |
|
Pnar
@194.51.x.x | that's really interesting. as many, I didn't know the subnetmask tip in Kerio.
Does it also work for LAN network ? |
|
