Re: [FW-1] Loopback address spoofing

Subject:	Re: [FW-1] Loopback address spoofing
From:	"Pendergrass, Greg" <Greg.Pendergrass AT VODAFONE DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Mon, 23 Feb 2004 12:02:03 -0000

This is very common, lots of zombies spew out huge amounts of garbage
packets with a source address of 127.0.0.1 (among others). Even though
127.0.0.1 is a well-known bogon ISPs still route it even though there is no
valid route back to it. I filter this and many other blocks using router
ACLs. This keeps the level of needless entries in my firewall logs down and
saves some overhead as well on my enforcement points.

In general you should filter the following IP ranges at your internet border
going both directions as there's no good reason any of this should leave or
enter your network:

10.0.0.0/8              RFC-1918
172.16.0.0/12   RFC-1918
192.168.1.0/16  RFC-1918
127.0.0.1/32    Standard lookback IP
224.0.0.0/3 (multicast and reserved IANA IP space)

There's also all sorts of ports that you can filter as well: you'd be amazed
at the huge amount of netbios, sql, wins, bootp and other garbage traffic
that will get sent to you. Why anyone should recieve someone else's wins
requests is beyond me, all it does is fill up your log files.

You may also be suprised at the amount of garbage you send too. Filtering it
coming into your network is fine and good but make sure you aren't
contributing to the vast amount of background noise on the internet.
Remember, if you don't want to recieve it you probably don't want to leak it
either.

Regards,

Greg Pendergrass


-----Original Message-----
From: Mark Pays [mailto:mark.pays AT GTA-TRAVEL DOT COM]
Sent: 20 February 2004 18:35
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Loopback address spoofing


I can see the very same thing happening to one of my firewalls. It looks
like some kind of attempt to spoof the loopback address. Run a tcpdump and
use -e to show ethernet source and dest MAC addresses. (I used tcpdump -n -e
-i eth4c0 host 127.0.0.1). When I did this the packets claiming to be from
127.0.0.1 are actually originating from the internet router MAC address. I
don't think it's of great concern as the firewall is dropping all the
packets but I'd be interested to hear if anyone knows anymore about it
though..
-----Original Message-----
From: José María Gabaldón [mailto:jgabaldon AT CYBERTECHPROJECTS DOT COM]
Sent: 20 February 2004 15:48
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Loopback address spoofing


Hi guys,

I have a little problem, we have a Solaris running Check Point NG FP3, and
everything works fine. However in the logs we get continously (maybe every
20 seconds or so) a drop log message that says:
Source: localhost
Destination: FW_EXTERNAL_IP_ADDRESS
Source port: http
Action: DROP
Reason: Loopback address spoofing.

I guess what does this log entry means, could be some internal hacker trying
to really spoof the loopback address of the firewall?, or maybe is just a
misconfiugration?. If so, how can I troubleshoot the problem?

I hope you can help me, thanks in advance! _______________________________

José María Gabaldón
Network Security Engineer
email: jgabaldon AT cybertech.com DOT ve
www.cybertech.com.ve

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


----------------------------------------------------------------------------
--
The opinions expressed within this email represent those of the
individual and not necessarily those of Gullivers Travel Associates (GTA).

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify
postmaster AT gta-travel DOT com.

Should you wish to use email as a form of communication, GTA are unable to
guarantee the security of email content outside of our own computer systems.


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


Vodafone Global Content Services Limited
Registered Office:  Vodafone House, The Connection, Newbury, Berkshire  RG14 2FN

Registered in England No. 4064873

This e-mail is for the addressee(s) only.  If you are not an addressee, you
must not distribute, disclose, copy, use or rely on this e-mail or its
contents, and you must immediately notify the sender and delete this e-mail
and all copies from your system.  Any unauthorised use may be unlawful.  The
information contained in this e-mail is confidential and may also be legally
privileged.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Loopback address spoofing, José María Gabaldón Re: [FW-1] Loopback address spoofing, Demetrio Leon Guerrero (DLG) Re: [FW-1] Loopback address spoofing, Mark Pays Re: [FW-1] Loopback address spoofing, Crist Clark Re: [FW-1] Loopback address spoofing, Pendergrass, Greg <= Re: [FW-1] Loopback address spoofing, Covington, Chris Re: [FW-1] Loopback address spoofing, Crist Clark Re: [FW-1] Loopback address spoofing, Lars Higham Re: [FW-1] Loopback address spoofing, Edwin Davidson Re: [FW-1] Loopback address spoofing - explained, Edwin Davidson Re: [FW-1] Loopback address spoofing, Goldoff, Erik

Previous by Date:	Re: [FW-1] Email handling query NGAI R54, Jean-Francois Gobin
Next by Date:	Re: [FW-1] FP3 to R55: vpn woes, Joachim Bassmann
Previous by Thread:	Re: [FW-1] Loopback address spoofing, Crist Clark
Next by Thread:	Re: [FW-1] Loopback address spoofing, Covington, Chris
Indexes:	[Date] [Thread] [Top] [All Lists]