Loopback and spoofing

[Xyzzy]

Hello!

1. How do I set up anty-spoofing rules? Or maybe LnS protects from spoofing with no need for specific rules?

2. What is the best way for a setup with: application control enabled and which allows all loopback traffic without need to authorize applications that perform local communications only?

TIA
X.

[Xyzzy]

Come on, ppl. You just have to know that...

BTW, as far as I understand LnS the second is impossible
X.

Hi,


If you want to see how those rule-sets are created a suggest you dowload Phantoms v-6 there both there for you to find the two you want to learn about and click edit,good luck

[Xyzzy]

Account hosting the file is suspended.

X.

Here you go!


http://www.wilderssecurity.com/showt...=Phantoms+rule

[Xyzzy]

Unfortunately this ruleset answers neither of my questions (at least I cannot see the answers). For example Land attack rule would be not necessary if LnS supported antyspoofing.

Also, my concept of LnS setup mentioned in my first post is not possible, because if application filtering is enabled, every application trying to connect displays Allow/Block dialog, because Network Filtering is a separate layer below Application Filtering, and the latter does not know anything about rules set up for network (with a rule that would allow 127.0.0.1<->127.0.0.1).

X.

[tosbsas]

Have you checked your options - think there is a antispoof already implemented

Ruben

[Xyzzy]

Quote:

Originally Posted by tosbsas

Have you checked your options - think there is a antispoof already implemented

Ruben

I cannot find any information on it. Can you point me to the right direction?

X.

Quote:

Originally Posted by Xyzzy

I cannot find any information on it. Can you point me to the right direction?

X.

If you go to thre LnS tab called Options,look in that box and you will see a box Advanced options,click on that.If you look at the top there is an anti-flood option check it and you are now protected.

[Xyzzy]

Spoofing is not flooding. Spoofing is falsifying one's IP address. It is used in a number of network attacks, like man-in-the-middle.

The "problem" with LnS is that it seems to bind in fact to two interfaces- Loopback and the one selected in Options.

Now, i would like to block incoming connections (net >> PC) with source address equal to my IP. But LnS binds also to my loopback interface- when there is "incoming connection with my IP address", it can also be application using my loopback interface, which should not be blocked.

In Phantom's ruleset there is an antyspoof rule, but it can be triggered by application using non-loopback interface to communicate with local PC.

X

[rerun2]

1. Isn't spoofing covered by TCP SPI?

2. If this were implemented in the way you suggest, can't someone just spoof your local address/127.0.0.1? As long as you authorize the application using loopback, whether it be "just this time/just this session/always allow" I do not really see what the problem is. If LnS were not to warn you at all you might have a situation similar to Sygate's loopback issue.

[Xyzzy]

0a. I am not sure what are possible source and destination addresses for loopback traffic. 127.0.0.1->127.0.0.1, MyIP->127.0.0.1?
0b. I don't know if it happens that applications for some reason use communication via external IP, so that applications on my PC send traffic MyIP->MyIP.

@1. In a part, but not quite. SPI in general controls if every packet is a part of existing connection, estabilished by 3-way TCP handshake. Even if SPI option in LnS is turned off, LnS observes state, because for WWW you just need to define a rule for Outbound TCP port 80 and not for the response traffic (this was necessary with first firewalls; you needed to define also for Inbound TCP 80->1025-65535). SPI option, in my opinion, does not turn SPI, it is on all the time. It just enables some more logging and displaying additional info in SPI dialog box.

@2. I don't know the issue with Sygate. I would like to be able to see clear distinction in LnS where my rules influence loopback, and where my network interface, like adding a column for interface, to which rule applies- that how it is done in "big" commercial firewalls. When I define rule for inbound traffic, how can I say if it is inbound from my machine to my machine of from remote machine to my machine? I need to put it in rule, and it should be defined by the context the rule is defined in.
What is the best way to create rule saying "If this packet comes from remote machine and it's source address is non-routable IP or my own IP, drop it"?

X.

[Xyzzy]

Quote:

Originally Posted by Xyzzy

0a. I am not sure what are possible source and destination addresses for loopback traffic. 127.0.0.1->127.0.0.1, MyIP->127.0.0.1?
0b. I don't know if it happens that applications for some reason use communication via external IP, so that applications on my PC send traffic MyIP->MyIP.

Stupid me!
@0a. Loopback traffic is only 127.0.0.1->127.0.0.1, unless something is very wrong with TCP/IP setup. But supporting seriously screwed config is beyond firewalls' tasks.
@0b.But of course it is possible. For example when I have a WWW server on my PC, visible from Internet, and use it to access pages it serves.

That leads to questions:
- is SYN packet for a connection on my loopback or MyIP->MyIP treated as inbound, outbound or is it processed twice- as inbound and outbound?
- How can I make a difference in configuration for legal connection MyIP->MyIP from a packet with the same source and destination addresses (MyIP->MyIP), but received on an external interface (that's spoofing)?

X.

If you want to use spoofing,on Phantom's Ruleset,you must add your Mac address,some rules you have to enter the information yourself,and spoofing is one of them,good luck

[Phant0m]

Hi Xyzzy

Actually there were attacks “generated remotely” that spoofed as LocalIP, the rule “+Loopback” rule shown in Phant0m``s Rule-set only applies to Inbound traffic, “Internet >> PC”, which covers this.

If it weren’t for the fact of rule per IP with Look ‘n’ Stop, I would have included a rule to block all Private IPs, and user with Network/Router setup could exclude whatever one they be using, normally 192.168.*.

The mere SPI implementation in Look ‘n’ Stop should handle spoofing a bit, especially from LocalIP attacks generated remotely, but many aren’t using SPI because it interferes with software many runs.

-

Look ‘n’ Stop Application filtering will detect applications accessing client environments, so it’ll catch applications making connections to LocalIP, if you have already authorized application connecting rights, Look ‘n’ Stop will permit LocalIP connections regardless of the restrictions you provide.

Look ‘n’ Stop Application-filtering doesn’t function like the every day Application-filtering based software firewalls, Look ‘n’ Stop only controls applications accessing network environments, if application be authorized to connect, it is then the job of “Internet filtering” to control packets.

Regards,
Phant0m``

[no13]

Phant0m...
[off topic]
can you direct me to a place where SPI is explained in a patient way... whitepapers, RFC... ANYTHING at all?
I keep coming up with either two para definitions or something almost, but not quite, entirely unrelated to network security.
Thx
[/off topic]
Edit: when did you move to Mars? You could have come over to the Sea of Tranquility when you were launching off moon you know. My place is only a couple of hours away from the SpacePort by lunar-buggy...