Last January, the Internet Computer Emergency Response Team (CERT) issued a security warning describing a type of attack known as source IP spoofing, which leaves many of the 20 million government, business, university, and home computers on the global Internet vulnerable to eavesdropping and theft.
3Com responded immediately to that warning by distributing a report on the CERT advisory and describing how 3Com's NETBuilder® bridge/routers could be configured to provide security against this type of attack. Because we feel that Internet security is an important issue for our customers and deserves wide coverage, this article again describes 3Com's response to the CERT advisory.
To generate this type of attack, network intruders create packets with spoofed source IP addresses. The intruders transmit packets from outside the protected domain that claim to be from a trusted machine inside the protected domain--in other words, the packet contains the source IP address of a trusted machine. If the router is not configured to filter incoming packets with source addresses that are in the local domain, it forwards the traffic and the targeted system may become compromised. A router will generally forward this traffic because when it makes its forwarding decision it examines only the destination IP address, not the source IP address. Figure 1 illustrates the operation of a spoofed source IP address attack.
The attacks are aimed at applications that use authentication based on source IP addresses. If successful, the attack leads to unauthorized use and possibly root access on the targeted system.
It is important to note that the described attack is possible even if no reply packets can reach the attacker. Also, disabling source routing at the router does not provide protection from this type of attack.
Examples of configurations that are potentially vulnerable to source IP spoofing attack include the following:
Once the network intruders have root access on a system, they use a tool to dynamically modify the UNIX® kernel. This modification allows them to hijack existing terminal and login connections from any user on the system. In taking over the existing connections, intruders can bypass one-time passwords and other strong authentication schemes by tapping the connection after the authentication is complete.
For example, a legitimate user connects to a remote site through a login or terminal session. However, the intruder hijacks the connection after the user has completed the authentication to the remote location so the remote site is now compromised. Currently, the tool is used primarily on SunOS(TM) 4.1.x systems. But the system features that make this attack possible are not unique to Sun operating systems.
The CERT Coordination Center recommends two steps to prevent this type of attack:
Figure 2 illustrates the CERT recommendations. CERT recommends an alternate solution if a router--such as 3Com's NETBuilder router--does not support input filtering. As shown in Figure 3, spoofed IP packets can be filtered by installing a second router between the original external interface (a) and the outside connection (b). The intermediate router is configured to block all packets that have a source address in the internal network (c) on the outgoing interface connected to the original router.
Figure 2. CERT-Recommended Filters
Figure 3. Alternate CERT Configuration
The two-router solution offered by 3Com provides a cost-effective defense against a source IP spoofing attack. The outside router can be an inexpensive NETBuilder Remote Office 227, while the inside router can be another router from the NETBuilder family. In some cases, you might want to recommend routers from two different vendors, since a bug or back door that allows entry by a hacker in one vendor's code hopefully does not exist in the other vendor's code.
In many cases, the network topology can be characterized as follows (see Figure 4):
The external router is configured with the required filters, and is also configured with a default route pointing to the Internet. The service provider installs static routes in their router that point to the customer's network.
For this configuration, it is not necessary to run a routing protocol over the external link. If the network connectivity is more complex and you are connected via a multi-point technology such as X.25 or frame relay, you can run BGP-4 on the NETBuilder Remote Office 227 to provide the required connectivity.
Many firewall configurations require the deployment of two routers. A typical Internet firewall employing two routers is illustrated in Figure 5. In this example, the routers create a packet filtering firewall while the bastion gateway functions as an application gateway firewall. A secure Internet firewall requires packet filtering and applications gateways. For more information on Internet firewalls, see "Constructing Firewalls" in the April 1995 issue of 3TECH.
Figure 4. Two-Router Network Configuration
Figure 5. Internet Firewall Example
The following examples illustrate how NETBuilder bridge/router software can be configured to support the CERT Advisory recommendations. Each of these examples assumes that the value of the NETBuilder software -IP FilterDefAction parameter is configured to Forward. Note that none of these examples prevent a source IP spoofing attack originating from the local site.
This example illustrates a two-router solution where the internal network is configured with noncontiguous IP network numbers. The filters are installed on the border router, which can have only two interfaces. In a two-port router, an output filter on one port is equivalent to an input filter on the other port, as shown in Figure 6.
Figure 6. Noncontiguous IP Network Example
The border router is configured with the following filters:
ADD -IP FilterAddrs 10.0.0.0/0.255.255.255 > 10.0.0.0/0.255.255.255 Discard ADD -IP FilterAddrs 184.108.40.206/0.255.255.255 > 220.127.116.11/0.255.255.255 Discard ADD -IP FilterAddrs 18.104.22.168/0.255.255.255 > 22.214.171.124/0.255.255.255 Discard ADD -IP FilterAddrs 10.0.0.0/0.255.255.255 <> 126.96.36.199/0.255.255.255 Discard ADD -IP FilterAddrs 10.0.0.0/0.255.255.255 <> 188.8.131.52/0.255.255.255 Discard ADD -IP FilterAddrs 184.108.40.206/0.255.255.255 <> 220.127.116.11/0.255.255.255 Discard
This configuration prevents an external attack by discarding any incoming packets with the addresses 10.0.0.0, 18.104.22.168, and 22.214.171.124; but it allows the internal router to route traffic between networks with those addresses. This configuration also works for the cascade topology shown in Figure 7.
Figure 7. Noncontiguous IP Network Cascade Topology Example
This example illustrates a two-router solution where the internal network is configured with multiple subnets of the Class B network address, 126.96.36.199, shown in Figure 8.
Figure 8. Subnets on the Internal Network
The border router is configured with the following filter:
ADD -IP FilterAddrs 188.8.131.52/0.0.255.255 > 184.108.40.206/0.0.255.255 Discard
This configuration prevents an external attack by discarding any incoming packets with a 220.127.116.11 Class B network address, but it allows the internal router to route traffic between all subnetworks of 18.104.22.168. In this example a single filter can protect multiple subnets.
This example illustrates a two-router solution where the internal network is configured with contiguous IP network numbers, as shown in Figure 9. Assume the service provider has provided the subscriber with the Classless Interdomain Domain Routing (CIDR) block 22.214.171.124/255.255.0.0. The border router is configured with the following filter:
ADD -IP FilterAddrs 126.96.36.199/0.0.255.255 > 188.8.131.52/0.0.255.255 Discard
This configuration prevents an external attack by discarding any incoming packets with a 184.108.40.206 network address, but it allows the internal router to route traffic between supernets of 220.127.116.11/255.255.0.0. In this example, a single filter can protect multiple contiguous IP networks numbers assigned as a CIDR block.
Figure 9. Multiple Contiguous IP Networks Obtaining CERT Advisories
In a source IP spoofing attack, intruders transmit packets from outside the protected domain that claim to be from a trusted machine inside the protected domain because the packet contains the source IP address of a trusted machine. A router will generally forward this traffic because when it makes its forwarding decision, it examines only the destination IP address, not the source IP address. Once inside the system, intruders can use a tool to dynamically modify the UNIX kernel to take over existing connections and bypass authentication schemes by tapping the connection after authentication is complete.
CERT recommends installing input filtering on your routers to prevent intruders from gaining unauthorized access. If a router does not support input filtering, CERT recommends an alternate solution of installing a second router between the external interface and the outside connection. This intermediate router is configured to block all packets that have an internal network source address. The two-router solution offered by 3Com provides a cost-effective defense against a source IP spoofing attack. The outside router can be an inexpensive NETBuilder device, while the inside router can be a more full-featured NETBuilder router. A two-router solution is also required by many Internet firewall configurations.
Three examples illustrate how NETBuilder software can be configured to support the CERT Advisory recommendations on three different network configurations: a noncontiguous IP address network, a Class B multiple subnet network, and a multiple contiguous IP address network.