Jo Rhett wrote:
On Jun 22, 2008, at 8:22 PM, Matt Kettler wrote:
Just because a packet can get theredoesn't mean they can deliver
mail. (by the way, IMO you're *insane* for not having a something in
place that filters such things. A simple PIX firewall at your border
with "ip verify reverse-path" enabled would do the job nicely. On a
budget simple ACLs in your border routing would do. Step up to at
least 1980's grade network security. seriously.)
Matt, what exactly does insulting me gain you, me, or this list?
Really? Better yet, what does insulting me from an incorrect
assumption gain you?
Fair enough. I mis-read your post to assume that nobody was filtering
such bogus packets. You were merely talking about your ISP not filtering
them, which apparently is a non-issue since you filter them yourself.
I'm not quite so sure why you raised it as a problem of concern, but
fair enough. My apologies.
So if your border is filtering such bogus packets, why are you still
worried about an outsider convincing your mailserver is delivering mail
from a 10.* ip? Are you concerned about this attack from within your
network somewhere that isn't subject to filtering? Or are you concerned
they're going to bypass your filtering in some manner?
Again, this is about an outsider delivering mail to your mailserver an
convincing it that 10.x.x.x, an internal subnet, is delivering mail to
it. Right?
I've not seen such mass IP forgery going on. Have you? Of course not,
because it pretty much can't be done.
With a statement such as this you demonstrate that you aren't in the
security field, and don't read either security papers or security
mailing lists ... so I'm really not sure how to respond to you,
honestly. I'm not trying to be rude, but your statement has no basis
in reality.
Actually I do. I know about the TCP window based enhancement of the
attack, etc. I also know a lot of those papers are highly theoretical,
and don't work in reality across a broad internet. Again, if it really
worked so well, you'd see a *LOT* of spam forging IPs. I've never seen
one in the real world.
Not only can it be done for given short-term purposes, but there are
at least 3 toolkits which test systems and then generate entire forged
TCP streams at the hosts. They are remarkably effective. I haven't
found one which works 100% against modern FreeBSD, which is what we
are running, but that doesn't mean it doesn't exist. And a toolkit
which takes 100 or 200 attempts to succeed... is easy to accomplish on
multi-gig networks without raising even the slightly alarm.
Ok, can you actually do it? Can you deliver mail to an outside network's
SMTP with a spoofed source IP that doesn't route back to you?
I'm not saying blind spoofing is wholesale impossible. However, doing it
long enough to deliver mail, and across an internet, and communicating
with any sort of reasonable host with decent ISN generation, isn't
practical. Add a reasonable firewall that's dropping packets from the
source IP you're using and it becomes difficult beyond then realm of
realistic attacks that a spammer would ever employ. (nobody's going to
take the time to exploit your firewall just to deliver spam with a
spoofed source address to your mailserver).
Perhaps you want to show me the syslog message your system generates
when it receives a TCP session id that isn't in use? No, my operating
system doesn't generate one either. (however my IDS will notice this
and log it, but that doesn't mean my mail server should trust it)
My OS wouldn't. I suspect the Cisco ASA would log these as "Deny TCP (no
connection)", due to their ISN not matching any established connection,
but I'd have to check if this logging occurs on ISN mismatch.
But logs, while nice, won't really help you if an attacker is successful
here.
NOW perhaps we can stop talking about networking? Because this isn't
about networking, really. It's about SpamAssassin. I don't want my
spamassassin to trust something it shouldn't receive. That's the
nature of the question.
True, but if you assume IPs can be spoofed, then SA can't trust anything
at all. If they can spoof one IP, they can spoof anything. That's of
great concern to SA, because it would break *many* things about
SpamAssassin's fundamental design.
Personally, I have yet to see evidence this attack can be successfully
carried out over the internet well enough to deliver mail to a SMTP
server on a blind basis.