IP Spoofing and Defenses

IP spoofingIP address spoofing is the creation of IP packets with a source IP address with the purpose of concealing the identity of the sender or impersonating another computer system. The basis of spoofing involves masquerading as a trusted system in order to gain unauthorized access to a secure environment. IP spoofing involves modifying data to make it appear to originate from the IP address of a system that is trusted by a server or firewall. Using this approach, a host is able to pass through the IP filtering that would otherwise serve to prevent access.

The objective of IP spoofing in most, but not all cases, is to gain unauthorized access to a server or service. DNS spoofing differs from IP spoofing in that the objective is to send users to a different location than the one to which they thought they were going. For example, assume a user wants to login to Facebook. He enters the URL of Facebook into his browser. The browser contacts a Domain Name Server (DNS) which looks up the IP address which matches the URL. The user is then taken to the site located at that IP address, where he enters his login name and password. DNS spoofing involves the DNS server being compromised such that the Facebook URL is set to point to the IP address of a malicious party where a web site that looks like Facebook has been set up. Now when the user enters the URL in a browser, he is taken to the fake web site where his login name and password are captured and stored. The web site might then report that Facebook is offline for maintenance. The user decides to try again later. In the meantime, the attacker uses the victim’s credentials to log into his Facebook account and gain a foothold in committing identity theft. Even more nefarious would be if the attacker used DNS spoofing to point to a fake bank web site or another site where the attacker may be able to gain access to sensitive data.

IP spoofing is not, however, always carried out with malicious intent. In performance testing of websites, hundreds or even thousands of virtual users may be created, each executing a test script against the web site under test, in order to simulate what will happen when the system goes live and a large number of users log on at once. Commercial testing products can use IP spoofing, allowing each user its own IP address.

IP Spoofing: Defenses

There are several possible defenses against IP spoofing. Packet filtering is one defense against IP spoofing attacks. The gateway to a network usually performs ingress filtering, which is blocking of packets from outside the network with a source address inside the network. This prevents an outside attacker spoofing the address of an internal machine. Ideally, the gateway would also perform egress filtering on outgoing packets, which is blocking of packets from inside the network with a source address that is not inside. This prevents an attacker within the network performing filtering from launching IP spoofing attacks against external machines. In addition, many firewalls (pfSense included) practice bogon filtering, which means that IP packets from the Internet that claim to be from an area of the IP address space reserved, but not yet allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated Regional Internet Registry (RIR), are blocked.
Some upper layer protocols provide their own defense against IP spoofing attacks. For example, Transport Control Protocol (TCP) uses sequence numbers negotiated with the remote machine to ensure that arriving packets are part of an established connection. Since the attacker normally cannot see any reply packets, the sequence number must be guessed in order to hijack the connection.

Implementing encryption and authentication will also reduce spoofing threats. Both of these features are included in Ipv6, which will eliminate current spoofing threats. Additionally, a system administrator should eliminate all host-based authentication measures, which are sometimes common for machines on the same subnet. You should ensure that the proper authentication measures are in place and carries out over a secure, encrypted channel.

IP spoofing is a common problem without a simple solution, since it is inherent in the design of the TCP/IP protocol suite. Understanding how and why spoofing attacks are used, along with a few simple prevention methods, can help protect your network from these nefarious techniques.

External Links:

IP spoofing on Wikipedia

Egress Filtering with pfSense

Egress Filtering Explained

Egress Filtering

Adding a rule to allow HTTP traffic from the LAN in pfSense 2.0.

In computer networking, egress filtering is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically it is information from a private TCP/IP computer network to the Internet that is controlled. pfSense, like nearly all similar commercial and open source solutions, comes with a LAN rule allowing everything from the LAN out to the internet. Allowing such outbound traffic indiscriminately is not a very good idea, even though it has become the default in most firewalls, because allowing such traffic is what most users expect.

Egress filtering can be challenging, as it will increase the administrative burden, as each new application or service may require opening additional ports. It may even be cost-prohibitive in large organizations to do so. Nevertheless, you should strive to allow only the minimum amount of traffic to leave your system, for the following reasons:

  • Limiting the impact of a compromised system: Malware commonly uses ports and protocols that are not required on many networks. Many bots rely on IRC connections to receive instructions. Some use other ports to evade egress filtering, but many do not.
    Another good example is a distributed denial of service attack (DDoS) using port 80. Such attacks often use User Datagram protocol (UDP), as UDP allows you to send a large number of packets without completing a handshake. Moreover, most networks have no need for allowing outbound UDP, as only TCP is required. The real solution is to remove the malware from the compromised system or systems, but if the proper egress filtering is in place, the DDoS packets will be blocked by pfSense.
    Simple Mail Transfer Protocol (SMTP) is another example. If your mail server is behind the firewall, you should only allow TCP traffic on port 25. But if the mail server is externally hosted, you could block port 25 from accessing the WAN interface entirely. This would prevent systems in your network from becoming used as a spam zombie and thus ending up on the block list of other mail servers.
  • Preventing a system from becoming compromised: Some malware/worms require outbound access to succeed. For example, Code Red and some other worms caused infected systems to pull an executable via port 69, the Trivial File Transfer Protocol (TFTP) and then execute it. You almost definitely do not need to use port 69 not the TFTP protocol, and blocking both via egress filtering prevented infection with such worms as Code Red, even on unpatched systems.
  • Limiting unauthorized application usage: Many applications either rely on atypical ports or will port hop until they find something allowed out of your network; this is especially true of peer-to-peer software, instant messengers, and VPN clients. Egress filtering can prevent such programs from functioning.
  • Preventing information leaks: There are a number of potential examples of this, but an example from a previous posting is Simple Network Management Protocol (SMTP) on ports 161 and 162. You probably do not want this data to leave your network, as doing so will leak potentially sensitive logging information out of your network. Rather than worry about this, it is probably best to only allow the traffic that is required.
  • Preventing IP spoofing – This is not really an issue with pfSense, since pf has anti-spoofing capabilities built into it, but it is worth mentioning.

Configuring Egress Filtering in pfSense

Egress Filtering

The firewall rules table after the rules for port 80, 443 and 25 have been added.

As an example of egress filtering, here is an instance in which we will explicitly allow necessary traffic and disable everything else. Assume for purposes of this example that we have identified the following requirements:

Traffic Required
Rule Source IP Destination IP Destination port
HTTP and HTTPs any any TCP 80 and 443
SMTP from mail server Mail server IP any TCP 25

Thus, we want to allow outbound HTTP, HTTPS and SMTP traffic and nothing else.

First, navigate to Firewall -> Rules. Select the “LAN” tab to create a new LAN rule. Note that unless you have made changes, there should be a “Default allow LAN to any rule” already there. Click on the “plus” button to add a new rule. Leave “Action” set to “Pass” and “Interface” set to “LAN”. Leave “Protocol” set to “TCP”. Set both “Source” and “Destination” to “any”, and set “Destination port range” to “HTTP”. At “Description“, type an appropriate description and press the “Save” button to save the changes; then press the “Apply changes” button to apply changes if necessary.

Egress Filtering

Disabling the default allow LAN to any rule.

To create the rules for ports 443 and 25, repeat the above steps twice, substituting “HTTPS” for “Destination port range” the first time, and “SMTP” the second time. Once the new rules are added, all that is left to do is disable the “Default allow LAN to any” rule. Click on the “e” next to this rule, and next to “Disabled“, check the “Disable this rule” check box. Then click on “Save” to save the changes and “Apply changes” to apply the changes.

Now, all outbound traffic from the LAN except for these 3 ports will be blocked. This may make the admin’s job somewhat more challenging, but it should reduce the chances that malware or spam bots gain a foothold on your network.

External links:

Egress Filtering FAQ – an excellent whitepaper on egress filtering from the SANS Institute

Performing Egress Filtering – another whitepaper on egress filtering

Egress filtering on WhatIs.com

Egress filtering on Wikipedia

Firewall Best Practices – Egress Traffic Filtering from The Security Skeptic

© 2013 David Zientara. All rights reserved. Privacy Policy