5

Suppose as an attacker i want to carry out a Ping or SYN Flood attack..

I can change the source IP of the packets generated at my machine to a false/spoofed public IP address so that replies go to that spoofed IP to avoid detection.

A WiFi router or any device for that matter .. would it drop the packet if source IP was a spoofed public IP or does it forward the packet to the destination or does NATing take place and the reply comes back to the router public IP address?

How would IP Spoofing work in this case? ..what is the general behavior of networking devices here

Edit: If there are so many variations in behavior of networking devices .. then how do Botnet operators manage to carry out DDoS from their slaves .. since majorly bots are in NATed home/business environment?

riteshtch
  • 151
  • 1
  • 5

2 Answers2

7

There are three likely behaviors as the packet is sent from the LAN to the router:

  1. The router apply reverse route filtering and drop the packet.
  2. The router does not filter. Instead the router treat it like any other packet from the LAN, which means the source IP is replaced with the IP of the router, and the router create a connection tracking entry.
  3. The router does not apply filtering or NAT. Instead the router forward the packet with spoofed source address.

In the first case, nothing more happens. In the third case, the packet may be dropped or forwarded by the ISP. In one of these cases the spoofed packet makes it all the way to the target. But no reply will be coming back to this router, because it would go to the spoofed IP.

The most interesting case is the one where NAT is applied to the packet. The ISP will no longer be able to drop the packet based on the source IP, because in this case the source IP is in fact valid as far as the ISP is concerned. But this is not very harmful because the packets can be easily filtered based on source IP once they reach the destination (assuming the flood is large enough to be noticeable at the destination). It also cannot easily be abused in a reflection attack, because the replies go back to the NAT router.

What happens to any replies coming back to the NAT router is more interesting. They will match a connection tracking entry. But after the NAT has been applied, the destination address will not be inside the LAN, but externally. At this point there are a few possible outcomes:

  • The router may refuse to forward the packet because it would be send back on the interface from whence it came.
  • The router may forward the packet back on the outside network as soon as it has applied NAT according to the connection tracking entry.
  • The router may attempt to perform NAT on the packet again, because it would be leaving on the external interface.

The first case where the packet is dropped, is not particular interesting or harmful.

The second case where the packet is forwarded back on the external network is more interesting. This is the case where the NAT prevented any spoofing from taking place in the first place, but a side effect of this is that on processing the reply, it actually produces a packet with spoofed source IP (effectively the source and destination IP of the original packet has been reversed).

If the ISP does not filter the packet due to invalid source IP, the return traffic will then be forwarded to the IP which was spoofed in the first place. And on arrival will look pretty much the same as it would, if no NAT had taken place at all.

But since this involves three trips across the external connection of the attacking network, the rate of attack traffic is limited compared to what it could have been.

If the router tries to NAT again, stuff gets a bit interesting. The issue here is that it isn't the first packet of a flow, so the NAT layer may not know how to deal with it. So the packet may be dropped because of NAT being applied without having seen the first packet of the flow.

It is also possible that a connection tracking entry is created. Since that newly created connection tracking entry was obviously not applied to the first packet of the flow, there is no way this could work at all for a TCP connection. But other protocols could possibly work even in such a scenario. However since this particular packet is due to spoofing, nothing good will come from NATing it.

If we assume this was a TCP SYN-ACK packet, and the router does NAT it again in spite of not making any sense at all, then the SYN-ACK will be forwarded by the ISP. The SYN-ACK will trigger a RST response (assuming the destination is functional), the RST will then go back through both connection tracking entries and get forwarded to the host from where the SYN-ACK came and clean up the connection.

As you can see, there is lots of ifs in this flow. And there is likely some possible outcome, which I have not considered.

kasperd
  • 5,402
  • 1
  • 19
  • 38
3

It depends on your router settings.

  • If your router have filtering in place, it will drop the packet, as it's source address is not from any networks known by the router. I usually configure my gateways/firewalls/routers to do this.

  • If your router does not have any filtering (the most common scenario) it will change the source address on the packet to its own address, and put an entry in an internal table to "remember" to which connection the packet belongs. As soon as it gets a response, the router will look at that internal table to see where to send the packet. As the address is not from any internal network, the router will send the packet away to the default gateway.

Edit: DDoS botnets generally don't rely on this method. They generally consist of dozens (or hundreds) of thousands of infected computers, waiting a command to attack some site. When the command arrives, all infected computers connect to the same site at once. If a botmaster have 100.000 bots on its network, each one with an average 4mbps downlink, it can theoretically generate 400Gbps of traffic.

There's another DDoS method, called amplification. It works by faking the source and sending a packet to a service that returns more data than it was send. DNS and NTP are the most common abused protocols. DNS amplification uses about 60 outgoing bytes and often results in over 4k bytes returning. Its a 70:1 ratio.

In this case, a very small botnet (10.000 bots with average 4Mbps connection) can generate enough traffic to knock down lots of sites.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142