Here is what I got from CIAC today on the NYT mentioned ip spoofing attacks. Forwarded message: > > _____________________________________________________ > The U.S. Department of Energy > Computer Incident Advisory Capability > ___ __ __ _ ___ > / | /_\ / > \___ __|__ / \ \___ > _____________________________________________________ > > ADVISORY NOTICE > > Internet Address Spoofing and Hijacked Session Attacks > > January 23, 1994 1100 PST Number F-08 > _____________________________________________________________________________ > > PROBLEM: Sophisticated new attacks on Internet systems based on > forged IP packets and hijacked login sessions. > PLATFORMS: Primarily Unix systems connected to the Internet, although > all systems that support session authentication based on IP > addresses are potentially vulnerable. Systems protected by > packet filtering firewalls may also be vulnerable. > DAMAGE: Unauthorized privileged access to systems. > SOLUTION: Enable router packet filtering on inbound Internet traffic, > and protect systems against root compromise. > _____________________________________________________________________________ > > VULNERABILITY These attacks represent a significant new threat to Internet > ASSESSMENT: systems. Without proactive measures in place, these attacks > are very difficult to detect or defend against. CIAC strongly > recommends sites implement the solutions described below as > soon as is possible. > _____________________________________________________________________________ > > Critical Information about the Internet Attacks > > CIAC has received information regarding a new attack technique on systems > connected to the Internet. These attacks are based on the exploitation of > two separate vulnerabilites: forging or spoofing the source address of IP > packets and hijacking already established login sessions. Although these > vulnerabilities are currently being used together to attack systems, each > may also be used on its own. Both of these vulnerabilities must be > addressed in order to keep systems secure. > > > IP Spoofing Attacks > ------------------- > > Description > ----------- > The first vulnerability, spoofing IP packets, allows an intruder on the > Internet to effectively impersonate a local system's IP address. If other > local systems perform session authentication based on the IP address of a > connection (e.g. rlogin with .rhosts or /etc/hosts.equiv files under Unix), > they will believe incoming connections from the intruder actually originate > from a local "trusted host" and will not require a password. This technique > is especially damaging when root connections are permitted with no password. > > Services that are vulnerable to forged IP packets include: > SunRPC & NFS > BSD Unix "r" commands, including rlogin > Services secured by TCP Wrappers using source address access control > X Windows > > It is possible for forged packets to penetrate firewalls based on filtering > routers if the router is not configured to block incoming packets with > source addresses in the local domain. It is important to note that this > attack is possible even if no session packets can be routed back to the > attacker. Note also that this attack is not based on the source routing > option of the IP protocol. > > The IP spoofing attacks are very similar to those described in section 2 > of "Security Problems in the TCP/IP Protocol Suite" by Steve Bellovin. This > paper was published in _Computer Communication Review_ vol. 19, no. 2 (April > 1989), pages 32-48. It is also available via anonymous FTP from > research.att.com in the file /dist/internet_security/ipext.ps.Z. > Additional information is available in the paper "A Weakness in the 4.2BSD > Unix TCP/IP Software," by Robert T. Morris. It is also available via > anonymous FTP from research.att.com in the file > /dist/internet_security/117.ps.Z. > > Detection > --------- > IP spoofing attacks are currently very difficult to detect. If your site > has the ability to monitor network traffic on the external interface of your > Internet router, examine incoming traffic for packets with both a source > and destination address in your local domain. Such packets should never be > found entering your site from the Internet and are a strong indicator that > an IP spoofing attack is in progress. > > Users within the Deparment of Energy (DOE) and Department of Defense (DOD) > communities may obtain a new version of the Network Intrusion Detector (NID) > with added features allowing the detection of IP spoofing attacks. Please > contact Bob Palasek, NID Project Leader, at (510) 422-8527 or > palasek@llnl.gov, for more information. > > Additionally, two freely available software tools are known to allow this > type of packet monitoring on Unix systems: tcpdump and netlog. The tcpdump > package is available via anonymous FTP from ftp.ee.lbl.gov in the file > /tcpdump.tar.Z (MD5 checksum 4D8975B18CAD40851F382DDFC9BD638F). When built > and installed, the command > > # tcpdump src net X.Y and dst net X.Y > > will print all packets found that claim to have both a source and > destination IP address on the X.Y network. The netlog package, developed at > Texas A&M University, is available via anonymous FTP at coast.cs.purdue.edu > in the file /pub/tools/unix/TAMU/netlog-1.2.tar.gz (MD5 checksum > 1DD62E7E96192456E8C75047C38E994B). When built and installed, it may be > invoked with the command > > # tcplogger -b | extract -U -e 'srcnet=X.Y.0.0 && dstnet=X.Y.0.0 {print}' > > to scan for packets with a source and destination address on the same > network. > > Prevention > ---------- > Currently, the best defense against IP spoofing attacks is to filter packets > as they enter your router from the Internet, blocking any packet that claims > to have originated inside your local domain. This feature, known as an > input filter, is currently known to be supported by several brands of > routers: > > Bay Networks/Wellfleet, version 5 and later > Cabletron with LAN Secure > Cisco, RIS software version 9.21 and later > Livingston > NSC > > If your current router hardware does not support packet filtering on > inbound traffic, a second router may be installed between the existing > router and the Internet connection. This second router may then be used > to filter spoofed IP packets with an output filter. > > > Hijacked Session Attacks > ------------------------ > > Description > ----------- > The second attack currently being observed involves the use of a tool > called "tap" to take over existing login sessions on a system. This tool > allows an intruder with root access to gain control of any other session > currently active on the system, executing commands as if they had been > typed by the owner of the session. If the user session has previously > performed a telnet or rlogin to another system, then the intruder may gain > access to the remote system as well, bypassing any authentication normally > required for access. > > Currently, the tap tool is only known to affect SunOS 4.1.x systems, > although the system features that allow the attack are not unique to Sun > systems. > > Detection > --------- > The owner of the hijacked session may notice unusual activity, including > the appearance of commands typed by the intruder. Users should be > notified of this possibility and encouraged to report any suspicious > activity. > > Prevention > ---------- > The primary defense against this attack is to prevent root compromise > through careful system management, installation of security patches, and > network controls such as firewalls. > > The tap tool currently in use makes use of SunOS loadable module support > to dynamically modify the operation of the running Unix kernel. CIAC > recommends that sites not requiring loadable modules disable this feature > on their SunOS 4.1.x systems. > > To do so, edit the kernel configuration file found in the > /sys/`arch -k`/conf directory and comment out the following line with a > "#" character: > > options VDDRV # loadable modules > > Then build and install the new kernel: > > # /etc/config CONFIG_NAME > # cd ../CONFIG_NAME > # make > # cp /vmunix /vmunix.orig > # cp vmunix / > # sync; sync; sync > > Finally, reboot the system to activate the new kernel. Note that > intruders have been known to regenerate their own kernels and reboot > systems to install the functionality they desire. The authenticity of the > running kernel should be verified after any unexplained system reboots. > > _____________________________________________________________________________ > > CIAC wishes to acknowledge the contributions of the CERT Coordination > Center, Eric Allman, Steve Bellovin, Keith Bostic, Bill Cheswick, Mike > Karels, and Tsutomu Shimomura for their assistance in the construction of > this bulletin. > _____________________________________________________________________________ > > For emergencies and off-hour assistance, DOE and DOE contractor sites can > contact CIAC 24-hours a day via an integrated voicemail and SKYPAGE number. > To use this service, dial 1-510-422-8193 or 1-800-759-7243 (SKYPAGE). The > primary SKYPAGE PIN number, 8550070 is for the CIAC duty person. A second > PIN, 8550074 is for the CIAC Project Leader. CIAC's FAX number is > 510-423-8002, and the STU-III number is 510-423-2604. Send E-mail to > ciac@llnl.gov. > > Previous CIAC notices, anti-virus software, and other information are > available on the Internet via anonymous FTP from ciac.llnl.gov (IP address > 128.115.19.53). > > CIAC has several self-subscribing mailing lists for electronic publications: > 1. CIAC-BULLETIN for Advisories, highest priority - time critical > information, and Bulletins, important computer security information; > 2. CIAC-NOTES for Notes, a collection of computer security articles; > 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) > software updates, new features, distribution and availability; > 4. SPI-NOTES, for discussion of problems and solutions regarding the use of > SPI products. > > Our mailing lists are managed by a public domain software package called > ListProcessor, which ignores E-mail header subject lines. To subscribe (add > yourself) to one of our mailing lists, send requests of the following form: > > subscribe list-name LastName, FirstName PhoneNumber > > as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, > SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for > "LastName" "FirstName" and "PhoneNumber." Send to: ciac-listproc@llnl.gov > not to: ciac@llnl.gov > > e.g., > subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 > subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36 > > You will receive an acknowledgment containing address and initial PIN, and > information on how to change either of them, cancel your subscription, or get > help. > _____________________________________________________________________________ > > PLEASE NOTE: Many users outside of the DOE and ESnet computing communities > receive CIAC bulletins. If you are not part of these communities, please > contact your agency's response team to report incidents. Your agency's team > will coordinate with CIAC. The Forum of Incident Response and Security Teams > (FIRST) is a world-wide organization. A list of FIRST member organizations > and their constituencies can be obtained by sending E-mail to > first-request@first.org with an empty subject line and a message body > containing the line: send first-contacts. > > This document was prepared as an account of work sponsored by an agency of > the United States Government. Neither the United States Government nor the > University of California nor any of their employees, makes any warranty, > expressed or implied, or assumes any legal liability or responsibility for > the accuracy, completeness, or usefulness of any information, product, or > process disclosed, or represents that its use would not infringe privately > owned rights. Reference herein to any specific commercial products, process, > or service by trade name, trademark manufacturer, or otherwise, does not > necessarily constitute or imply its endorsement, recommendation, or favoring > by the United States Government or the University of California. The views > and opinions of authors expressed herein do not necessarily state or reflect > those of the United States Government nor the University of California, and > shall not be used for advertising or product endorsement purposes. > > -- Mark Crother mcrother@retix.com Internetworking Systems Engineer Retix