fake ping reply

fake ping reply

[I.S.Kuten]

Hello ,

i wanted to setup iptables , when someone pings my box , echo-reply
would come from other machine then mine .

I've tried to play with PREROUTING & POSTROUTING chains but had no success .

Anyone has solution ?

Re: fake ping reply

[Ramin Dousti]

On Tue, Sep 02, 2003 at 04:50:26PM +0300, I.S.Kuten wrote:

> Hello ,
> 
> i wanted to setup iptables , when someone pings my box , echo-reply
> would come from other machine then mine .

A very strange question. When the client sends you a echo-request, it
expects to receive echo-reply from the same IP address. If some other
IP address sends the echo-reply, it will simply get dropped by the OS
on the client, as there is no match for this bogus packet...

Now, what do you want to achieve with this? Fool the client that his
ping, pinged someone else??

If you feel unconfortable with someone pinging you, just drop them...

Ramin

> 
> I've tried to play with PREROUTING & POSTROUTING chains but had no success .
> 
> Anyone has solution ?
> 
> 

Re: fake ping reply

[I.S.Kuten]

On Thu, 4 Sep 2003 12:24:44 -0400
Ramin Dousti <ramin@cannon.eng.us.uu.net> wrote:

> On Tue, Sep 02, 2003 at 04:50:26PM +0300, I.S.Kuten wrote:
> 
> > Hello ,
> > 
> > i wanted to setup iptables , when someone pings my box , echo-reply
> > would come from other machine then mine .
> 
> A very strange question. When the client sends you a echo-request, it
> expects to receive echo-reply from the same IP address. If some other
> IP address sends the echo-reply, it will simply get dropped by the OS
> on the client, as there is no match for this bogus packet...
> 
> Now, what do you want to achieve with this? Fool the client that his
> ping, pinged someone else??
> 

I'd like to archive 

when i receive ping from say 192.168.0.1 , i send ping to another ip 192.168.0.2 receive echo-reply 
and send echo-reply back to 192.168.0.1 with same type
(ping i mean icmp with some type)



sorry 
> > i wanted to setup iptables , when someone pings my box , echo-reply
> > would come from other machine then mine .
this is not quite correct what i wanted


> If you feel unconfortable with someone pinging you, just drop them...
> 
> Ramin
> 

> > 
> > I've tried to play with PREROUTING & POSTROUTING chains but had no success .
> > 
> > Anyone has solution ?
> > 
> > 
> 

Re: fake ping reply

[Chris Brenton]

Ramin Dousti wrote:
> On Tue, Sep 02, 2003 at 04:50:26PM +0300, I.S.Kuten wrote:
>>
>>i wanted to setup iptables , when someone pings my box , echo-reply
>>would come from other machine then mine .
> 
> A very strange question. When the client sends you a echo-request, it
> expects to receive echo-reply from the same IP address. If some other
> IP address sends the echo-reply, it will simply get dropped by the OS
> on the client, as there is no match for this bogus packet...

I don't think that's where he's going with this. This used to be a very 
cool feature that was remove about 2 years ago. :(  :(  :(

Here's the concept, let's say you've been allocated a class C legal 
address space and have 10 or so IP address that are not in use. What I 
used to do was reject echo-request packets going to those address with 
echo-replies, and reject all other echo-requests with an host-unreachable.

Now, "annoying script kiddie that could not hack their way out of a 
paper bad" comes along and ping sweeps your network. Only those 10 IP 
addresses respond, so they start attacking them.

Now, one of the things you need to do when reading your logs is filter 
out the script kiddies from the people you really need to worry about. 
Obviously someone who persists in attacking non-existent systems and 
can't tell the difference can be stopped with a simple ban rule.

Also, increasing the number of packets that an attacker throw at your 
network also increases your chances of identifying them. Again, this 
rule was a good fit for that as well.

I have to say I'm a major iptables bigot. I've contributed to the 
project and talk it up big time in the SANS perimeter training. __The 
only thing__ that has ever really bummed me about about the project was 
the removal of the echo-reply reject option.

</dismounting soap box>

;-)
C

Re: fake ping reply

[Ramin Dousti]

On Thu, Sep 04, 2003 at 03:32:46PM -0400, Chris Brenton wrote:

> >>i wanted to setup iptables , when someone pings my box , echo-reply
> >>would come from other machine then mine .
> >
> >A very strange question. When the client sends you a echo-request, it
> >expects to receive echo-reply from the same IP address. If some other
> >IP address sends the echo-reply, it will simply get dropped by the OS
> >on the client, as there is no match for this bogus packet...
> 
> I don't think that's where he's going with this. This used to be a very 
> cool feature that was remove about 2 years ago. :(  :(  :(
> 
> Here's the concept, let's say you've been allocated a class C legal 
> address space and have 10 or so IP address that are not in use. What I 
> used to do was reject echo-request packets going to those address with 
> echo-replies, and reject all other echo-requests with an host-unreachable.

I see, you want to pretend that the non-assigned IP's are assigned and the
assigned ones are not (??). If so, do this:

            1.2.3.4     5.6.7.8
                ----------
Internet -----eth0--GW--eth1----Internal LAN
                ----------

Say, you have a.b.c.0/24 assigned to you and you use a.b.c.0/25 (assigned
to your boxes) and have a.b.c.128/25 unused. Then for the same effect you
mentioned above you can have:

$IPT -t nat -A PREROUTING -i eth0 -p icmp --icmp-type echo-request \
                          -d a.b.c.128/25 -j DNAT --to 5.6.7.8

$IPT -t filter -A FORWARD -i eth0 -p icmp --icmp-type echo-request \
                          -d a.b.c.0/25 -j REJECT --reject-with host-unreach


Or maybe I didn't get your explanation right???

Ramin