icmp messages to spoofed address accepted by -m conntrack --ctstate ESTABLISHED,RELATED

icmp messages to spoofed address accepted by -m conntrack --ctstate ESTABLISHED,RELATED

[Jim Laurino]

Hello,

I added a rule with this matching pattern to
the iptables firewall on my machine.

-m conntrack --ctstate ESTABLISHED,RELATED

I am logging the matches,
the only packets matching are
icmp destination unreachable packets
that are responses to -
a udp packet
sent to dest ports 1026 or 1027
that has the source IP of my machine.

My first concern was to see if my
machine was infected with some malware.

I have now done parallel tcpdump tracing,
(among other tests)
and I now think the
original udp packets do not come from me,
but rather that
someone is spoofing my IP address.

So, I have come here to try to confirm
that this match is either a misuse of
the conntrack module by me (surely possible),
or else a bug in connection tracking.

I have split the rule, and I am getting
matches on both ESTABLISHED and RELATED.
I do not see in /proc/net/ip_conntrack
any entry that I think should match.
These icmp packets are at a low frequency,
a few a day.

I can solve the immediate issue by ignoring it,
but I thought I should report the problem,
and see what I can learn.

I have looked at the netfilter mailing lists
with great interest, and I have learned
a great deal, but I do not see any easy
way to search them systematically for this issue.

I started looking for help here:

http://www.linuxquestions.org/questions/showthread.php?threadid=158226

and there are sample log entries there, if if matters.
But it seemed as if this list was the next place to go.

Regards,

Jim Laurino

Re: icmp messages to spoofed address accepted by -m conntrack --ctstate ESTABLISHED,RELATED

[Antony Stone]

On Thursday 18 March 2004 10:35 pm, Jim Laurino wrote:

> Hello,
>
> I added a rule with this matching pattern to
> the iptables firewall on my machine.
>
> -m conntrack --ctstate ESTABLISHED,RELATED
>
> I am logging the matches, the only packets matching are icmp destination
> unreachable packets that are responses to -
> a udp packet sent to dest ports 1026 or 1027 that has the source IP of my
> machine.
>
> I have now done parallel tcpdump tracing, (among other tests) and I now
> think the original udp packets do not come from me, but rather that someone
> is spoofing my IP address.

I agree with this latter explanation.

http://isc.incidents.org/port_details.html?port=1026
http://www.mynetwatchman.com/kb/security/articles/popupspam
http://www.lurhq.com/popup_spam.html

Regards,

Antony

-- 
Success is a lousy teacher.  It seduces smart people into thinking they can't 
lose.

 - William H Gates III

                                                     Please reply to the list;
                                                           please don't CC me.

Re: icmp messages to spoofed address accepted by -m conntrack --ctstate ESTABLISHED,RELATED (nfcan: addressed to exclusive sender for this address)

[Jim Laurino]

On 2004.03.18 17:35, Jim Laurino  - nfcan.x.jimlaur@dfgh. 
net wrote:
> I added a rule with this matching pattern to
> the iptables firewall on my machine.
> 
> -m conntrack --ctstate ESTABLISHED,RELATED
> 
> It is matching icmp packets about an
> unreachable destination that are sent here
> because someone is spoofing my IP address.
> 
> I do not see in /proc/net/ip_conntrack
> any entry that I think should match these packets.
> 
> I have come here to try to find out if this
> match is the expected behavior of this rule,
> or if this match is a misuse of the conntrack
> module by me, or if this is a bug in connection tracking.
> 
> Regards,
> 
> Jim Laurino
> 
>