Re: ip spoofed and this scenario

zillah2004 · ‎02-03-2006

Could please see the attchment

pkhatri · ‎02-03-2006

Hi,

Firstly, I think the question is not phrased too well. Typically you would have filters to prevent imcoming packets that are using the same source addresses as devices within your network. Therefore, in this case, you want to prevent source addresses within the 192.168.2.0/24 range. The ACL that satisfies this is (C):

access-list 1 deny 192.168.2.0 0.0.0.255

access-list 1 permit any

The answer given (A) is incorrect. The explanation does not make too much sense either.

If you have picked up this question from something like a TestKing document, pls note that a lot of the answers given are riddled with errors.

Hope that helps - pls rate the post if it does.

Paresh

zillah2004 · ‎02-03-2006

1- Have you rephrased (Firstly, I think the question is not phrased too well) the question in different way ? Could you please let me know what will the new phrase be ?

2- Which one is my source,,,is it 192.168.1.0 (as the question stated) or 192.168.2.0 as you have recoreded (Therefore, in this case, you want to prevent source addresses within the 192.168.2.0/24 range). ?

3- Do I need to prevent the source addresses (Therefore, in this case, you want to prevent source addresses within the 192.168.2.0/24 range.) because it has been spoofed ?

4- ((when applied to E1 on router as an input filter)) ----here i get confuse this phrase means that the source address is 192.168.1.0 not 192.168.2.0,,,,,,,,may be he inteded to say E0 instead of E1 ?

pkhatri · ‎02-04-2006

1. You have to first understand what a spoofed address is. Spoofing is the creation of TCP/IP packets using somebody else's IP address. Now, how do we know an address is spoofed ? Generally, we can't work that out unless the spoofed address is out of a range that we own and so we know that we should never receive any packets from outside our network that have a source address that belongs to us. The way I would read the question is: prevent packets spoofed using the 192.168.2.0/24 range from entering the 192.168.2.0/24 LAN segment.

2. The source should be 192.168.2.0/24,since that is the same as the address in the LAN segment we are protecting.

3. Yes, the source addresses are the ones spoofed. It does not make sense to spoof the destination address (since routing is done based on that and a wrong destination address will mean that the packet will never get there).

4. E1 is correct. Just remember that just because it is coming from the 192.168.1.0 side of the network does not mean that it has to have a 192.168.1.0. If a spoofing attack is originating from the 192.168.1.0 network, the address will be spoofed to be 192.168.2.x and not 192.168.1.0 so therefore, the filter is correct.

Pls rate the post if it helps.

Paresh

pkhatri · ‎02-04-2006

HI Saad,

I've just re-read the original question a bit more closely and I think I mis-understood it originally.

It talks about spoofing attacks "originating" on the 192.168.1.0 network. Therefore, the correct answer is indeed A. If a packet originates within the 192.168.1.0 network, then it must have a source address in the 192.168.1.0/24 range. If not, it is obviously spoofed. I think your confusion here is the bit about "all other traffic must be permitted". Since the spoofed addresses will be everything apart from the 192.168.1.0 network, then 'all other traffic' means traffic with a source of 192.168.1.0/24. The ACL in option A is therefore correct. Apologies for the ealier confusion.

Pls do remember to rate posts.

Paresh

zillah2004 · ‎02-04-2006

I have got another confusion,,,suppose spoofing (not spoofed) packet has got this source ip address 173.16.1.3,,,,now when this packet imporsinates another source ip address (our case 192.168.1.0 not 192.168.2.0).

How can ACL distiguish between the real packet with 192.168.1.0 address , and the fake packet (173.16.1.3) with stolen ip address 192.168.1.0 ?My understanding that both packets (real, fake) are carying same ip address

pkhatri · ‎02-04-2006

You cannot distinguish between a spoofed 192.168.1.x address and a real 192.168.1.x address using this ACL. In the question you had, there were only 2 networks, 192.168.1.x and 192.168.2.x so that situation could not have occurred.

Paresh

zillah2004 · ‎02-04-2006

((so that situation could not have occurred)) and ((If not, it is obviously spoofed)).

I feel there is conradiction,,,correct me if I am wrong

pkhatri · ‎02-04-2006

You've got two networks: 192.168.1.x and 192.168.2.x

If a packet originates within the 192.168.1.x network, it should have a source IP of 192.168.1.x. So if a packet originates from the 192.168.1.x but does not have a source address of 192.168.1.x, it is spoofed. Do you agree ?

Now, you are giving an example about a packet with a real source address of 173.16.1.3. I'm saying this situation cannot occur within this network since all packets originating here will have a source of 192.168.1.x or 192.168.2.x. Do you agree ?

Paresh

zillah2004 · ‎02-04-2006

((So if a packet originates from the 192.168.1.x but does not have a source address of 192.168.1.x, it is spoofed. Do you agree ?))

Defiantly I agree,,,but how am I going to expect that , if the scenario has got two networks only,,,(i.e if there is no other network how can I expect that there is a packet does not have a source of 192.168.1.x!!!!)

((Now, you are giving an example about a packet with a real source address of 173.16.1.3. I'm saying this situation cannot occur within this network since all packets originating here will have a source of 192.168.1.x or 192.168.2.x. Do you agree ? ))

the answer of this depends on the first one

pkhatri · ‎02-04-2006

"how can I expect that there is a packet does not have a source of 192.168.1.x"

That's the whole point... you know that the only source address should be 192.168.1.x which is why the ACL permits only 192.168.1.x. You only expect 192.168.1.x. Anything else is spoofed and is dropped by the ACL. Do you get it now ?