CA-95:01.README
Issue date:  January 23, 1995
Date of last revision: August 4, 1995

This file is a supplement to CERT advisory CA-95:01, "IP Spoofing
Attacks and Hijacked Terminal Connections," distributed on January 23,
1995. [See also ftp://info.cert.org/pub/cert_summaries/CS-95:01.] 
We update the file as additional information becomes available.

Note: After we publish checksums in advisories and READMEs, files are
sometimes updated at individual locations because of system upgrades or patch
installation. For current MD5 checksum values, we recommend that you check
with your vendor.

//////////////////
Added August 4, 1995

For IP spoofing to be successful, intruders rely on two machines to
trust each other through the use of the .rhosts file or the
/etc/hosts.equiv file.  By exploiting applications that use
authentication based on IP addresses (e.g., rsh and rlogin), intruders
can gain user or root access on targeted hosts.

We suggest that you use TCP wrappers to allow access from only a
select few machines.  Although this is not a complete solution, it
does reduce your susceptibility to attack.  Alternatively, change the
configuration of your Internet gateway so that rlogin and rsh from the
Internet to hosts in your domain are blocked.  If that is not
possible, disable the rlogin and rsh services on all of your hosts.

Some sites have turned off source routing thinking that this would
prevent IP spoofing attacks. This is NOT the case. Although we
encourage sites to turn off source routing this does not prevent IP
spoofing attacks. To prevent such attacks it is necessary to undertake
packet filtering as described in the advisory.

In addition to the attacks described in this advisory, we are now
seeing attacks in which intruders gain access to a site using loopback
IP addresses rather than IP addresses particular to that site.

We recommend that in addition to the packet filtering suggestions
described in Section III B of the advisory, you configure the
filtering router to filter inbound packets in the following IP ranges:

	127.0.0.0	-	127.255.255.255		(loopback)
	10.0.0.0	-	10.255.255.255		(reserved)
	172.16.0.0	-	172.31.255.255		(reserved)
	192.168.0.0	-	192.168.255.255		(reserved)


Other updates:

	o The CERT Coordination Center has been informed that any services 
	  that use Kerberos for authentication should not be vulnerable 
	  to an IP spoofing attack.  For more information about Kerberos, see

		ftp://rtfm.mit.edu/pub/usenet/news.answers/kerberos-faq

	o We also recognize that the information and solution 
	  described in the advisory does not address the 
	  issue of mobile IP spoofing.

	o As of August 4, 1995, information provided by a few vendors
	  has been added to this README.  For more up-to-date information,
	  contact your vendor.


Cisco Systems

The following information has been provided by Cisco Systems for
their customers.
-------------------------------------------------------------------------------
		     Begin Text Provided by Cisco

The defense is to set up your internet firewall router to deny packets
from OUTSIDE your network that claim to have a source address INSIDE
your network.

example configuration:

access-list 101 deny ip 131.108.0.0 0.0.255.255 0.0.0.0 255.255.255.255
access-list 101 deny ip 198.92.93.0 0.0.0.255 0.0.0.0 255.255.255.255
[..rest of your firewall goes here..]

and so on, where access list 101 describes all possible source
addresses on YOUR network.  The example above describes a network with
internal source addresses of 131.108.x.x and 198.92.93.x

Note: If you use only the two line example described above without any 
other access-list commands, ALL TRAFFIC will be stopped on your interface
since the implicit action of an unmatched access-list is to deny packets.

If you only want source address spoofing protection and nothing else, add
the line

access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

to the end of the earlier example.  This is NOT an optimal solution since
there are many other possible attacks barring the IP spoofing fixed here.

There are articles on this topic on the CIO information service and various
USENET mailing lists.  You can telnet to cio.cisco.com or point your WWW
browser at http://www.cisco.com.

Anyway!  Once you have defined an appropriate access list you can apply them
to the vulnerable interfaces.

Assuming your interface serial 0 faces the Internet:

interface serial 0
description interface facing the big, bad Internet
ip access-group 101 in

for a router running 9.21 or later.

If you DO NOT have 9.21, an upgrade is NOT required if your internet
firewall is a two port router (which it should be).  Simply
apply access-list 101 as described above to the LAN interface and not 
the serial interface.

example:

interface ethernet 0
description LAN port on my internet router
ip access-group 101 

The essence of this defense is that any packets coming from the internet that
claim to be from your network are tossed, thereby preventing the style of
attack described below.

Also, for good measure, ALL INTERNET FIREWALLS should have the global 
command

no ip source-route

Which helps prevent other forms of spoofing attack from outside.


For further discussion of sequence number guessing attacks, see papers
by Morris and also Bellovin in

 ftp://ftp.research.att.com/dist/internet_security/117.ps.Z
 ftp://ftp.research.att.com/dist/internet_security/ipext.ps.Z

		      End Text Provided by Cisco
-------------------------------------------------------------------------------


Morning Star Technologies, Inc.

The following information has been provided by Morning Star
Technologies for their customers.
-------------------------------------------------------------------------------
		 Begin Text Provided by Morning Star

TO ALL USERS OF MORNING STAR PRODUCTS:

Here is how to configure your Internet interface to prevent such
attacks:

    1) Locate the packet filter file controlling your interface to the
       Internet.  For users of Morning Star PPP, this will usually be
       /etc/ppp/Filter, /usr/etc/ppp/Filter, or /usr/lib/ppp/Filter.
       Users of Express routers should look in the file called Filter.
       Check your pppd (or frd for frame relay users) command line for
       a possibly different filter filename, or look for `ifconfig
       [interface] filter [filename]' commands in your Express
       router's rc.boot file.

    2) Within the packet filter file, locate the individual filter
       specification used by your Internet connection.  It will begin
       with either the hostname or IP address of the remote side of a
       PPP connection, the local hostname or IP address of a frame
       relay, Ethernet, or RF modem connection, or the special keyword
       `default' for any type of connection.

    3) Within the appropriate filter specification, locate the `pass'
       filter.

    4) Add the following line to the beginning of the pass filter:

          !ip_opt=srcrt

       This will cause all transmitted or received IP packets with
       Source Routing options to be discarded.

    5) Determine the IP network number or numbers of your internal
       network or networks.  Insert a set of lines similar to the
       following pair following the source route rule described in
       step 4) above for each internal network number.

          !recv/src/[network-number]
          !send/dst/[network-number]

       This will block all received packets containing a source IP
       address in your internal network, and will block the
       transmission of all packets containing a destination IP address
       in your internal network.  For example, we have Class B network
       137.175, so our Filter file contains

          !ip_opt=srcrt
          !recv/src/137.175.0.0
          !send/dst/137.175.0.0

       If you don't have a whole IP network, you'll also need to
       specify a netmask.  For example, an organization that has both
       the Class C network 192.1.1.0 and the Class-C-sized 10.1.220.0
       segment of the Class A net 10 would add these lines

          !ip_opt=srcrt
          !recv/src/192.1.1.0
          !send/dst/192.1.1.0
          !recv/src/10.1.220.0/255.255.255.0
          !send/dst/10.1.220.0/255.255.255.0

FURTHER NOTE:

Do not configure any of your systems to trust any of the Unix `r'
commands (rlogin, rsh, etc.) from any machine outside your firewall.
Such systems can be spoofed as easily as internal machines, but
spoofed packets cannot be detected at your firewall.

GETTING MORE HELP:

If you need any help with these modifications, call our customer
support hotline at +1 800 558 7827 or send us e-mail at
support@MorningStar.Com.  When sending e-mail, please include the
phrase CERT SECURITY PROBLEM in your Subject: header.  We will provide
assistance with this to all Morning Star customers, even for those
without current customer support agreements.  If you do not have a
current support agreement, use the phrase `CERT SECURITY PROBLEM' when
asked for your customer support number.

		  End Text Provided by Morning Star
------------------------------------------------------------------------------


3COM

The following information has been provided by 3COM for their customers.
------------------------------------------------------------------------------
		     Begin Text Provided by 3COM

The following examples illustrate how NETBuilder software can be
configured to support the CERT Advisory recommendations.  Each of
these examples assumes that the value of the -IP FilterDefAction
parameter is configured to Forward.

Example 1:

This example illustrates a two-router solution where the internal
network is configured with non-contiguous IP network numbers.  The
filters are installed on the border router which can only have two
interfaces.  In a two-port router, an output filter on one port is
equivalent to an input filter on the other port.  Please refer to
Figure 1:

Figure 1: Non-Contiguous IP Networks


                        |                                                 
           | Border |   |   |Internal|--- 10.0.0.0
Outside  --| Router |---|---| Router |
                        |   |        |--- 20.0.0.0                
                        | 
                     30.0.0.0



The border router is configured with the following filters:

ADD -IP FilterAddrs 10.0.0.0/0.255.255.255 >  
          10.0.0.0/0.255.255.255 Discard

ADD -IP FilterAddrs 20.0.0.0/0.255.255.255 >  
          20.0.0.0/0.255.255.255 Discard

ADD -IP FilterAddrs 30.0.0.0/0.255.255.255 >  
          30.0.0.0/0.255.255.255 Discard

ADD -IP FilterAddrs 10.0.0.0/0.255.255.255 <> 
          20.0.0.0/0.255.255.255 Discard

ADD -IP FilterAddrs 10.0.0.0/0.255.255.255 <> 
          30.0.0.0/0.255.255.255 Discard

ADD -IP FilterAddrs 20.0.0.0/0.255.255.255 <> 
          30.0.0.0/0.255.255.255 Discard

This configuration prevents the external attack and allows the
internal router to route traffic between networks 10.0.0.0, 20.0.0.0,
and 30.0.0.0.  This configuration also works for the cascade topology
shown in Figure 2.


Figure 2: Non-Contiguous IP Networks (alternate topology)


                        |                |
           | Border |   |   |Internal|   |   |Internal|
Outside ---| Router |---|---| Router |---|---| Router |--- 10.0.0.0
                        |                |
                        |                | 
                    30.0.0.0          20.0.0.0 


Example 2:

The second example illustrates a two-router solution when the internal
network is configured with multiple subnets of the Class B network
address - 130.5.0.0.  The subnet mask is 255.255.255.0.  Please refer
to Figure 3.


Figure 3: Subnets on the Internal Network


                        |                                                 
           | Border |   |   |Internal|--- 130.5.2.0
Outside  --| Router |---|---| Router |
                        |   |        |--- 130.5.3.0                
                        | 
                    130.5.1.0    Subnet Mask = 255.255.255.0

                                                          
The border router is configured with the following filter:

ADD -IP FilterAddrs 130.5.0.0/0.0.255.255 >  
         130.5.0.0/0.0.255.255 Discard

This configuration prevents the external attack and allows the internal route 
to route traffic between all subnetworks of 130.5.0.0.  In this example, a 
single filter can protect multiple subnets.  

Example 3:

The final example illustrates a two-router solution when the internal
network is configured with contiguous IP network numbers.  Assume the
service provider has provided the subscriber with the CIDR block
200.5.0.0/255.255.0.0.  Please refer to Figure 4:


Figure 4: Multiple Contiguous IP Networks


                        |                                                 
           | Border |   |   |Internal|---  200.5.2.0
Outside  --| Router |---|---| Router |
                        |   |        |---  200.5.3.0             
                        | 
                     200.5.1.0    CIDR Mask = 255.255.0.0

The border router is configured with the following filter:

ADD -IP FilterAddrs 200.5.0.0/0.0.255.255 >  
          200.5.0.0/0.0.255.255 Discard

This configuration prevents the external attack and allows the
internal router to route traffic between supernets of
200.5.0.0/255.255.0.0.  In this example, a single filter can protect
multiple contiguous IP networks numbers assigned as a CIDR block.

		      End Text Provided by 3COM
------------------------------------------------------------------------------
//////////////////
