Securing Your Network Against Source IP Spoofing Attacks
By Chuck Semeria



Last January, the Internet Computer Emergency Response Team (CERT) issued a security warning describing a type of attack known as source IP spoofing, which leaves many of the 20 million government, business, university, and home computers on the global Internet vulnerable to eavesdropping and theft.

3Com responded immediately to that warning by distributing a report on the CERT advisory and describing how 3Com's NETBuilder® bridge/routers could be configured to provide security against this type of attack. Because we feel that Internet security is an important issue for our customers and deserves wide coverage, this article again describes 3Com's response to the CERT advisory.


How Source IP Spoofing Works

To generate this type of attack, network intruders create packets with spoofed source IP addresses. The intruders transmit packets from outside the protected domain that claim to be from a trusted machine inside the protected domain--in other words, the packet contains the source IP address of a trusted machine. If the router is not configured to filter incoming packets with source addresses that are in the local domain, it forwards the traffic and the targeted system may become compromised. A router will generally forward this traffic because when it makes its forwarding decision it examines only the destination IP address, not the source IP address. Figure 1 illustrates the operation of a spoofed source IP address attack.

The attacks are aimed at applications that use authentication based on source IP addresses. If successful, the attack leads to unauthorized use and possibly root access on the targeted system.

It is important to note that the described attack is possible even if no reply packets can reach the attacker. Also, disabling source routing at the router does not provide protection from this type of attack.

Examples of configurations that are potentially vulnerable to source IP spoofing attack include the following:

  • Routers to external networks that support multiple internal interfaces
  • Routers with two interfaces that support subnetting on the internal network
  • Proxy firewalls where the proxy applications use the source IP address for authentication
    Figure 1. Spoofed Source IP Address Attack


    The Source IP Spoofing Hijacking Tool

    Once the network intruders have root access on a system, they use a tool to dynamically modify the UNIX® kernel. This modification allows them to hijack existing terminal and login connections from any user on the system. In taking over the existing connections, intruders can bypass one-time passwords and other strong authentication schemes by tapping the connection after the authentication is complete.

    For example, a legitimate user connects to a remote site through a login or terminal session. However, the intruder hijacks the connection after the user has completed the authentication to the remote location so the remote site is now compromised. Currently, the tool is used primarily on SunOS(TM) 4.1.x systems. But the system features that make this attack possible are not unique to Sun operating systems.


    How to Prevent Source IP Spoofing Attacks

    The CERT Coordination Center recommends two steps to prevent this type of attack:

    1. Install a filtering router that restricts the input to the external interface (known as an input filter) by not allowing a packet through if it has a source address from the internal network.
    2. Filter outgoing packets that have a source address different from the internal network to prevent an attack originating from the local site.

      Figure 2 illustrates the CERT recommendations. CERT recommends an alternate solution if a router--such as 3Com's NETBuilder router--does not support input filtering. As shown in Figure 3, spoofed IP packets can be filtered by installing a second router between the original external interface (a) and the outside connection (b). The intermediate router is configured to block all packets that have a source address in the internal network (c) on the outgoing interface connected to the original router.

      Figure 2. CERT-Recommended Filters

      Figure 3. Alternate CERT Configuration


      How to Deploy the 3Com Solution

      The two-router solution offered by 3Com provides a cost-effective defense against a source IP spoofing attack. The outside router can be an inexpensive NETBuilder Remote Office 227, while the inside router can be another router from the NETBuilder family. In some cases, you might want to recommend routers from two different vendors, since a bug or back door that allows entry by a hacker in one vendor's code hopefully does not exist in the other vendor's code.

      In many cases, the network topology can be characterized as follows (see Figure 4):

    3. As an external link to the Internet, the network has a simple serial link to the network service provider's router.
    4. The inside protected network consists of a few noncontiguous networks or subnets of a single network number.

      The external router is configured with the required filters, and is also configured with a default route pointing to the Internet. The service provider installs static routes in their router that point to the customer's network.

      For this configuration, it is not necessary to run a routing protocol over the external link. If the network connectivity is more complex and you are connected via a multi-point technology such as X.25 or frame relay, you can run BGP-4 on the NETBuilder Remote Office 227 to provide the required connectivity.

      Many firewall configurations require the deployment of two routers. A typical Internet firewall employing two routers is illustrated in Figure 5. In this example, the routers create a packet filtering firewall while the bastion gateway functions as an application gateway firewall. A secure Internet firewall requires packet filtering and applications gateways. For more information on Internet firewalls, see "Constructing Firewalls" in the April 1995 issue of 3TECH.

      Figure 4. Two-Router Network Configuration

      Figure 5. Internet Firewall Example


      3Com Solution Examples

      The following examples illustrate how NETBuilder bridge/router software can be configured to support the CERT Advisory recommendations. Each of these examples assumes that the value of the NETBuilder software -IP FilterDefAction parameter is configured to Forward. Note that none of these examples prevent a source IP spoofing attack originating from the local site.

      Example 1: Noncontiguous IP Network

      This example illustrates a two-router solution where the internal network is configured with noncontiguous IP network numbers. The filters are installed on the border router, which can have only two interfaces. In a two-port router, an output filter on one port is equivalent to an input filter on the other port, as shown in Figure 6.

      Figure 6. Noncontiguous IP Network Example

      The border router is configured with the following filters:

      ADD -IP FilterAddrs
      
         10.0.0.0/0.255.255.255 >
      
         10.0.0.0/0.255.255.255 Discard
      
      ADD -IP FilterAddrs
      
         20.0.0.0/0.255.255.255 >
      
         20.0.0.0/0.255.255.255 Discard
      
      ADD -IP FilterAddrs
      
         30.0.0.0/0.255.255.255 >
      
         30.0.0.0/0.255.255.255 Discard
      
      ADD -IP FilterAddrs
      
         10.0.0.0/0.255.255.255 <>
      
         20.0.0.0/0.255.255.255 Discard
      
      ADD -IP FilterAddrs
      
         10.0.0.0/0.255.255.255 <>
      
         30.0.0.0/0.255.255.255 Discard
      
      ADD -IP FilterAddrs
      
         20.0.0.0/0.255.255.255 <>
      
         30.0.0.0/0.255.255.255 Discard
      

      This configuration prevents an external attack by discarding any incoming packets with the addresses 10.0.0.0, 20.0.0.0, and 30.0.0.0; but it allows the internal router to route traffic between networks with those addresses. This configuration also works for the cascade topology shown in Figure 7.

      Figure 7. Noncontiguous IP Network Cascade Topology Example

      Example 2: Multiple Subnet Network

      This example illustrates a two-router solution where the internal network is configured with multiple subnets of the Class B network address, 130.5.0.0, shown in Figure 8.

      Figure 8. Subnets on the Internal Network

      The border router is configured with the following filter:

      ADD -IP FilterAddrs
         130.5.0.0/0.0.255.255 >
         130.5.0.0/0.0.255.255 Discard
      

      This configuration prevents an external attack by discarding any incoming packets with a 130.5.0.0 Class B network address, but it allows the internal router to route traffic between all subnetworks of 130.5.0.0. In this example a single filter can protect multiple subnets.

      Example 3: Contiguous IP Address Network

      This example illustrates a two-router solution where the internal network is configured with contiguous IP network numbers, as shown in Figure 9. Assume the service provider has provided the subscriber with the Classless Interdomain Domain Routing (CIDR) block 200.5.0.0/255.255.0.0. The border router is configured with the following filter:

      ADD -IP FilterAddrs
         200.5.0.0/0.0.255.255 >
         200.5.0.0/0.0.255.255 Discard
      

      This configuration prevents an external attack by discarding any incoming packets with a 200.5.0.0 network address, but it allows the internal router to route traffic between supernets of 200.5.0.0/255.255.0.0. In this example, a single filter can protect multiple contiguous IP networks numbers assigned as a CIDR block.

      Figure 9. Multiple Contiguous IP Networks Obtaining CERT Advisories


      Summary

      In a source IP spoofing attack, intruders transmit packets from outside the protected domain that claim to be from a trusted machine inside the protected domain because the packet contains the source IP address of a trusted machine. A router will generally forward this traffic because when it makes its forwarding decision, it examines only the destination IP address, not the source IP address. Once inside the system, intruders can use a tool to dynamically modify the UNIX kernel to take over existing connections and bypass authentication schemes by tapping the connection after authentication is complete.

      CERT recommends installing input filtering on your routers to prevent intruders from gaining unauthorized access. If a router does not support input filtering, CERT recommends an alternate solution of installing a second router between the external interface and the outside connection. This intermediate router is configured to block all packets that have an internal network source address. The two-router solution offered by 3Com provides a cost-effective defense against a source IP spoofing attack. The outside router can be an inexpensive NETBuilder device, while the inside router can be a more full-featured NETBuilder router. A two-router solution is also required by many Internet firewall configurations.

      Three examples illustrate how NETBuilder software can be configured to support the CERT Advisory recommendations on three different network configurations: a noncontiguous IP address network, a Class B multiple subnet network, and a multiple contiguous IP address network.