Countering Spoofing AttemptsTomEastep2012Thomas M. EastepPermission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License.IntroductionSpoofing is the practice of sending packets
with a forged source address in an attempt to circumvent security
measures. Shorewall supports a variety of measures to counter spoofing
attacks.The routefilter Interface OptionThis shorewall-interfaces (5) option was
the first measure implemented and uses
/proc/sys/net/ipv4/conf/*/rp_filter. Many
distributions set this option by default for all ip interfaces. The option
works by determining the reverse path (the route from the packets
destination to its source); it that route does not go out through the
interface that received the packet, then the packet is declared to be a
martian and is dropped. A kernel log message is generated if the
interface's option is set
(/proc/sys/net/ipv4/conf/*/log_martians).While this option is simple to configure, it has a couple of
disadvantages:It is not supported by IPv6.It does not use packet marks so it doesn't work with some Multi-ISP configurations.The log messages produces are obscure and confusing.Hairpin FilteringSpoofing can be used to exploit Netfilter's connection tracking to
open arbitrary firewall ports. Attacks of this type establish a connection
to a server that uses separate control and data connections such as an FTP
server. It then sends a packet addressed to itself and from the server.
Such packets are sent back out the same interface that received them
(hairpin). In cases where the
option can't be used, Shorewall 4.4.20 and
later will set up hairpinning traps (see the SFILTER_DISPOSITION and
SFILTER_LOG_LEVEL options in shorewall.conf (5)).This automatic hairpin trapping is disabled on interfaces with the
option.The rpfilter Interface OptionA new iptables/ip6tables match (rpfilter) was added in kernel 3.4.4.
This match performs reverse path evaluation similar to
but without the disadvantages:It is supported by both IPv4 and IPv6.It uses packet marks so it works with all Multi-ISP configurations.It produces standard Shorewall/Netfilter log messages controlled
by the RPFILTER_LOG_LEVEL option in shorewall.conf (5)).Both the disposition and auditing can be controlled using the
RPFILTER_DISPOSITION option in shorewall.conf (5)).