Spoofing in URPF protected networks

Written By Celal Erdik

URPF (Unicast Reverse Path Forwarding) is a feature used to combat IP spoofing in network and security devices.

URPF checks whether the packet comes from the appropriate interface by comparing the source IP address of the packet with the routing table. URPF is valid for systems protected by a security/network device, not for packets coming from the Internet.

When performing DDoS tests, a network/security device at the exit of the tested network may usually block the generated fake IP packets due to URPF (or a similar feature). In such cases, the generated packets will not be able to go out to the Internet, so they will not affect the target system. If the packets to be sent in such environments are generated from the same subnet as the system used (for example, the IP address of the system used for the DDoS test is 192.168.1.3/24, a random IP from the 192.168.1.0/24 subnet can be used here), they will be able to reach the target system without being stuck in URPF.

Hping, which is used extensively in DDoS tests, is an open source software used for network tests. In particular, the source IP addresses can be made variable with the --rand-source parameter.

However, sending source packets from the desired IP address block cannot be provided by default with hping. With the developed patch, this feature can be provided with the --rand-pattern-source parameter. Details on the application and subsequent use of the relevant patch are explained below.

Pre-installation system requirements:

- tcl packages must be installed.

# apt-get install tcl8.4 tcl8.4-dev

- A symbolic link assignment is required for libpcap.

# mkdir /usr/local/include/net

# ln -sf /usr/include/pcap-bpf.h /usr/local/include/net/bpf.h

Installation:

# wget http://www.hping.org/hping3-{version}.tar.gz

# tar -zxvf hping3-{version}.tar.gz

# cd hping3-{version}

# ./configure; make; make install

Usage:

After the necessary patch is applied, the installation process is completed and packets can be sent from the desired IP block with the --rand-pattern-source parameter. For example, to send packets from the 192.168.x.x source IP address block to the tcp/3737 port of the 127.0.0.1 target;

# hping3 -c 3 -S -p 3737 127.0.0.1 --rand-pattern-source 192.168.x.x

The tcpdump output of the relevant packets is as seen below.

# tcpdump -tttnn -i lo port 3737

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes

00:00:00.000000 IP 192.168.111.137.1193 > 127.0.0.1.3 737: Flags [S], seq 969737665, win 512, length 0

00:00:00.000019 IP 127.0.0.1.3737 > 127.0.0.1.1193: Flags [R.], seq 0, ack 969737666, win 0, length 0

00:00:01.000134 IP 192.168.108.254.1194 > 127.0.0.1.3737: Flags [S], seq 1919278313, win 512, length 0

00:00:00.000022 IP 127.0.0.1.3737 > 127. 0.0.1.1194: Flags [R.], seq 0, ack 1919278314, win 0, length 0

00:00:01.000108 IP 192.168.174.173.1195 > 127.0.0.1.3737: Flags [S], seq 1078569436, win 512, length 0

00:00:00.000022 IP 127.0.0.1.3737 > 127.0.0.1.1195: Flags [R.], seq 0, ack 1078569437, win 0, length 0

As can be seen, packets are coming from source IP addresses 192.168.111.137, 192.168.108.254 and 192.168.174.173. Similarly, to send packets from source IP address block 192.x.x.37 to tcp/3737 port of destination server 127.0.0.1;

# hping3 -c 3 -S -p 3737 127.0.0.1 --rand-pattern-source 192.x.x.37

A usage like this is required. The tcpdump output of the relevant packages is as seen below.

# tcpdump -tttnn -i lo port 3737 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes

00:00:00.000000 IP 192.181.54.37.1956 > 127.0.0.1.373 7: Flags [S], seq 119506247, win 512, length 0

00:00:00.000014 IP 127.0.0.1.3737 > 127.0.0.1.1956: Flags [R.], seq 0, ack 119506248, win 0, length 0

00:00:01.000141 IP 192.27.215.37.1957 > 127.0.0.1.3737: Flags [S], seq 556719496, win 512, length 0

00:00:00.000020 IP 127.0.0.1.3737 > 127.0.0 .1.1957: Flags [R.], seq 0, ack 556719497, win 0, length 0

00:00:01.000126 IP 192.73.27.37.1958 > 127.0.0.1.3737: Flags [S], seq 1832818380, win 512, length 0

00:00:00.000021 IP 127.0.0.1.3737 > 127.0.0.1.1958: Flags [R.], seq 0, ack 1832818381, win 0, length 0

As can be seen, packets are coming from 192.181.54.37, 192.27.215.37 and source IP addresses. --rand-pattern-source x.x.x.x cannot be used to generate completely variable source IP addresses. This feature, which is provided by default with hping, is implemented through the --rand-source parameter. When used in this way, a warning will be received as follows.

# hping3 -c 3 -S -p 3737 127.0.0.1 --rand-pattern-source x.x.x.x

HPING 127.0.0.1 (lo 127.0.0.1): S set, 40 headers + 0 data bytes

Try --rand-source now.

Again, both --rand-pattern-source and --rand-source parameters cannot be used at the same time. In this case, a warning message like the one below will be received.

# hping3 -c 3 -S -p 3737 127.0.0.1 --rand-pattern-source 127.x.x.x --rand-source

Not use both --rand-pattern-source && --rand-source options !

In short, with this patch, Hping can produce the desired packets from the desired source IP address or IP address block. This method, which is especially used in network tests, can be performed with hping.

Celal Erdik
Next

Session Fixation Vulnerability