Howto match the 3rd packet in the 3way handshake

Howto match the 3rd packet in the 3way handshake

[Nemeth Denes]

Dear All,

The situation is the following: We have two host A and B, A sends B a 
SYN packet with a spoofed IP address,
since the source IP is spoofed B will not receive the 2. packet of the 
handshake, but is able
to send back the 3rd: an ACK packet with an invalid acknowledgement 
number. How is it
possible distinguish connections in which the source IP is spoofed in 
this way.

1. A ->B : SYN(IP_X, seq(A))
2. B ->A : SYN_ACK(IP_X, ack(A), seq(B))
3. A ->B : ACK(IP_X. seq(A+1), ack(Y))

How is it possible to match the 3rd packet if Y=A+1, and Y!=A+1?

I would like to use this for the following. Let us assume that port 222 
is a normally closed port, and
B executed a port scan on that port.

iptables -A INPUT -p tcp --dport 222 -match <connections in which source 
IP can be spoofed> -g DROP
iptables -A INPUT -p tcp --dport 222 <execute site wide preventive 
actions against the IP address: iptables -I INPUT -src THISSRC -j DROP>

Thanks Denes

Re: Howto match the 3rd packet in the 3way handshake

[Mart Frauenlob]

On 28.02.2010 10:58, netfilter-owner@vger.kernel.org wrote:
> Dear All,
> 
> The situation is the following: We have two host A and B, A sends B a
> SYN packet with a spoofed IP address,
> since the source IP is spoofed B will not receive the 2. packet of the
> handshake, but is able

it think you mean A?

> to send back the 3rd: an ACK packet with an invalid acknowledgement
> number. How is it
> possible distinguish connections in which the source IP is spoofed in
> this way.
> 
> 1. A ->B : SYN(IP_X, seq(A))
> 2. B ->A : SYN_ACK(IP_X, ack(A), seq(B))
> 3. A ->B : ACK(IP_X. seq(A+1), ack(Y))
> 
> How is it possible to match the 3rd packet if Y=A+1, and Y!=A+1?
> 
> I would like to use this for the following. Let us assume that port 222
> is a normally closed port, and
> B executed a port scan on that port.
> 
> iptables -A INPUT -p tcp --dport 222 -match <connections in which source
> IP can be spoofed> -g DROP
> iptables -A INPUT -p tcp --dport 222 <execute site wide preventive
> actions against the IP address: iptables -I INPUT -src THISSRC -j DROP>
> 
> Thanks Denes


I do not think it is possible to match on spoofed IP addresses.
But I think you could construct something that matches those hosts which
sent a SYN and continue with INVALID state traffic.

1: put tcp syn into a recent set.
2: match for hosts in the set with state INVALID.

Questioning it all:
A simple -m state --state INVALID -j DROP should silently discard all those.

Best regards

Mart

Re: Howto match the 3rd packet in the 3way handshake

[Nemeth Denes]

Dear All

This is a good idea,

"But I think you could construct something that matches those hosts which
sent a SYN and continue with INVALID state traffic.

1: put tcp syn into a recent set.
2: match for hosts in the set with state INVALID."

, but the real question is what does INVALID mean, because if it will
also match case where Y!=A+1, than it will allow an attacker to
perform a DoS by easily spoofing valid IP addresses, which will get
dropped (sitewide)

Best wishes,
Denes

Mart Frauenlob wrote:
> On 28.02.2010 10:58, netfilter-owner@vger.kernel.org wrote:
>   
>> Dear All,
>>
>> The situation is the following: We have two host A and B, A sends B a
>> SYN packet with a spoofed IP address,
>> since the source IP is spoofed B will not receive the 2. packet of the
>> handshake, but is able
>>     
>
> it think you mean A?
>   
yes sorry typo
>> to send back the 3rd: an ACK packet with an invalid acknowledgement
>> number. How is it
>> possible distinguish connections in which the source IP is spoofed in
>> this way.
>>
>> 1. A ->B : SYN(IP_X, seq(A))
>> 2. B ->A : SYN_ACK(IP_X, ack(A), seq(B))
>> 3. A ->B : ACK(IP_X. seq(A+1), ack(Y))
>>
>> How is it possible to match the 3rd packet if Y=A+1, and Y!=A+1?
>>
>> I would like to use this for the following. Let us assume that port 222
>> is a normally closed port, and
>> B executed a port scan on that port.
>>
>> iptables -A INPUT -p tcp --dport 222 -match <connections in which source
>> IP can be spoofed> -g DROP
>> iptables -A INPUT -p tcp --dport 222 <execute site wide preventive
>> actions against the IP address: iptables -I INPUT -src THISSRC -j DROP>
>>
>> Thanks Denes
>>     
>
>
> I do not think it is possible to match on spoofed IP addresses.
> But I think you could construct something that matches those hosts which
> sent a SYN and continue with INVALID state traffic.
>
> 1: put tcp syn into a recent set.
> 2: match for hosts in the set with state INVALID.
>
> Questioning it all:
> A simple -m state --state INVALID -j DROP should silently discard all those.
>
> Best regards
>
> Mart
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>   

Re: Howto match the 3rd packet in the 3way handshake

[Mart Frauenlob]

On 28.02.2010 12:03, netfilter-owner@vger.kernel.org wrote:
> Mart Frauenlob wrote:
>> On 28.02.2010 10:58, netfilter-owner@vger.kernel.org wrote:
>>
>>> Dear All,
>>>
>>> The situation is the following: We have two host A and B, A sends B a
>>> SYN packet with a spoofed IP address,
>>> since the source IP is spoofed B will not receive the 2. packet of the
>>> handshake, but is able
>>>
>>
>> it think you mean A?
>>
> yes sorry typo
>>> to send back the 3rd: an ACK packet with an invalid acknowledgement
>>> number. How is it
>>> possible distinguish connections in which the source IP is spoofed in
>>> this way.
>>>
>>> 1. A ->B : SYN(IP_X, seq(A))
>>> 2. B ->A : SYN_ACK(IP_X, ack(A), seq(B))
>>> 3. A ->B : ACK(IP_X. seq(A+1), ack(Y))
>>>
>>> How is it possible to match the 3rd packet if Y=A+1, and Y!=A+1?
>>>
>>> I would like to use this for the following. Let us assume that port 222
>>> is a normally closed port, and
>>> B executed a port scan on that port.
>>>
>>> iptables -A INPUT -p tcp --dport 222 -match <connections in which source
>>> IP can be spoofed> -g DROP
>>> iptables -A INPUT -p tcp --dport 222 <execute site wide preventive
>>> actions against the IP address: iptables -I INPUT -src THISSRC -j DROP>
>>>
>>> Thanks Denes
>>>
>>
>>
>> I do not think it is possible to match on spoofed IP addresses.
>> But I think you could construct something that matches those hosts which
>> sent a SYN and continue with INVALID state traffic.
>>
>> 1: put tcp syn into a recent set.
>> 2: match for hosts in the set with state INVALID.
>>
>> Questioning it all:
>> A simple -m state --state INVALID -j DROP should silently discard all
>> those.
> Dear All
> 
> This is a good idea,
> 
> "But I think you could construct something that matches those hosts which
> sent a SYN and continue with INVALID state traffic.
> 
> 1: put tcp syn into a recent set.
> 2: match for hosts in the set with state INVALID."
> 
> , but the real question is what does INVALID mean, because if it will
> also match case where Y!=A+1, than it will allow an attacker to
> perform a DoS by easily spoofing valid IP addresses, which will get
> dropped (sitewide)
> 

Without being an expert here, imho:
If there's no existing valid connection from the spoofed ip, what does
it matter?
If there is, only those packets will be recognized as INVALID and
therefor dropped. It does not mean an existing connection marked as
ESTABLISHED would be closed from the conntrack side.
Anyone please correct me if I'm wrong.


But yes good question, 'what does state INVALID exactly mean?'
There's not much documentation about it afaik.
But i think you could say:
Everything that is not state NEW, ESTABLISHED, RELATED (those last 2
must be valid traffic (i.e. tcp with no anomalies)), or UNTRACKED (set
by the NOTRACK target in the raw table).

Best regards

Mart