Loopback and spoofing

Discussion in 'LnS English Forum' started by Xyzzy, Jan 13, 2005.

Thread Status:
Not open for further replies.
  1. Xyzzy

    Xyzzy Registered Member

    Joined:
    Jan 11, 2005
    Posts:
    67
    Location:
    Poland
    Hello!

    1. How do I set up anty-spoofing rules? Or maybe LnS protects from spoofing with no need for specific rules?

    2. What is the best way for a setup with: application control enabled and which allows all loopback traffic without need to authorize applications that perform local communications only?

    TIA
    X.
     
  2. Xyzzy

    Xyzzy Registered Member

    Joined:
    Jan 11, 2005
    Posts:
    67
    Location:
    Poland
    Come on, ppl. You just have to know that...

    BTW, as far as I understand LnS the second is impossible :(
    X.
     
  3. Lowryder

    Lowryder Guest

    Hi,


    If you want to see how those rule-sets are created a suggest you dowload Phantoms v-6 there both there for you to find the two you want to learn about and click edit,good luck
     
  4. Xyzzy

    Xyzzy Registered Member

    Joined:
    Jan 11, 2005
    Posts:
    67
    Location:
    Poland
    Account hosting the file is suspended.

    X.
     
  5. Lowryder

    Lowryder Guest

  6. Xyzzy

    Xyzzy Registered Member

    Joined:
    Jan 11, 2005
    Posts:
    67
    Location:
    Poland
    Unfortunately this ruleset answers neither of my questions (at least I cannot see the answers). For example Land attack rule would be not necessary if LnS supported antyspoofing.

    Also, my concept of LnS setup mentioned in my first post is not possible, because if application filtering is enabled, every application trying to connect displays Allow/Block dialog, because Network Filtering is a separate layer below Application Filtering, and the latter does not know anything about rules set up for network (with a rule that would allow 127.0.0.1<->127.0.0.1).

    X.
     
  7. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    Have you checked your options - think there is a antispoof already implemented

    Ruben
     
  8. Xyzzy

    Xyzzy Registered Member

    Joined:
    Jan 11, 2005
    Posts:
    67
    Location:
    Poland
    I cannot find any information on it. Can you point me to the right direction?

    X.
     
  9. Lowryder

    Lowryder Guest



    If you go to thre LnS tab called Options,look in that box and you will see a box Advanced options,click on that.If you look at the top there is an anti-flood option check it and you are now protected.
     
  10. Xyzzy

    Xyzzy Registered Member

    Joined:
    Jan 11, 2005
    Posts:
    67
    Location:
    Poland
    Spoofing is not flooding. Spoofing is falsifying one's IP address. It is used in a number of network attacks, like man-in-the-middle.

    The "problem" with LnS is that it seems to bind in fact to two interfaces- Loopback and the one selected in Options.

    Now, i would like to block incoming connections (net >> PC) with source address equal to my IP. But LnS binds also to my loopback interface- when there is "incoming connection with my IP address", it can also be application using my loopback interface, which should not be blocked.

    In Phantom's ruleset there is an antyspoof rule, but it can be triggered by application using non-loopback interface to communicate with local PC.

    X
     
  11. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    1. Isn't spoofing covered by TCP SPI?

    2. If this were implemented in the way you suggest, can't someone just spoof your local address/127.0.0.1? As long as you authorize the application using loopback, whether it be "just this time/just this session/always allow" I do not really see what the problem is. If LnS were not to warn you at all you might have a situation similar to Sygate's loopback issue.
     
  12. Xyzzy

    Xyzzy Registered Member

    Joined:
    Jan 11, 2005
    Posts:
    67
    Location:
    Poland
    0a. I am not sure what are possible source and destination addresses for loopback traffic. 127.0.0.1->127.0.0.1, MyIP->127.0.0.1?
    0b. I don't know if it happens that applications for some reason use communication via external IP, so that applications on my PC send traffic MyIP->MyIP.

    @1. In a part, but not quite. SPI in general controls if every packet is a part of existing connection, estabilished by 3-way TCP handshake. Even if SPI option in LnS is turned off, LnS observes state, because for WWW you just need to define a rule for Outbound TCP port 80 and not for the response traffic (this was necessary with first firewalls; you needed to define also for Inbound TCP 80->1025-65535). SPI option, in my opinion, does not turn SPI, it is on all the time. It just enables some more logging and displaying additional info in SPI dialog box.

    @2. I don't know the issue with Sygate. I would like to be able to see clear distinction in LnS where my rules influence loopback, and where my network interface, like adding a column for interface, to which rule applies- that how it is done in "big" commercial firewalls. When I define rule for inbound traffic, how can I say if it is inbound from my machine to my machine of from remote machine to my machine? I need to put it in rule, and it should be defined by the context the rule is defined in.
    What is the best way to create rule saying "If this packet comes from remote machine and it's source address is non-routable IP or my own IP, drop it"?

    X.
     
  13. Xyzzy

    Xyzzy Registered Member

    Joined:
    Jan 11, 2005
    Posts:
    67
    Location:
    Poland
    Stupid me!
    @0a. Loopback traffic is only 127.0.0.1->127.0.0.1, unless something is very wrong with TCP/IP setup. But supporting seriously screwed config is beyond firewalls' tasks.
    @0b.But of course it is possible. For example when I have a WWW server on my PC, visible from Internet, and use it to access pages it serves.

    That leads to questions:
    - is SYN packet for a connection on my loopback or MyIP->MyIP treated as inbound, outbound or is it processed twice- as inbound and outbound?
    - How can I make a difference in configuration for legal connection MyIP->MyIP from a packet with the same source and destination addresses (MyIP->MyIP), but received on an external interface (that's spoofing)o_O?

    X.
     
  14. Lowryder

    Lowryder Guest

    If you want to use spoofing,on Phantom's Ruleset,you must add your Mac address,some rules you have to enter the information yourself,and spoofing is one of them,good luck
     
  15. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hi Xyzzy

    Actually there were attacks “generated remotely” that spoofed as LocalIP, the rule “+Loopback” rule shown in Phant0m``s Rule-set only applies to Inbound traffic, “Internet >> PC”, which covers this.

    If it weren’t for the fact of rule per IP with Look ‘n’ Stop, I would have included a rule to block all Private IPs, and user with Network/Router setup could exclude whatever one they be using, normally 192.168.*.

    The mere SPI implementation in Look ‘n’ Stop should handle spoofing a bit, especially from LocalIP attacks generated remotely, but many aren’t using SPI because it interferes with software many runs.

    -

    Look ‘n’ Stop Application filtering will detect applications accessing client environments, so it’ll catch applications making connections to LocalIP, if you have already authorized application connecting rights, Look ‘n’ Stop will permit LocalIP connections regardless of the restrictions you provide.

    Look ‘n’ Stop Application-filtering doesn’t function like the every day Application-filtering based software firewalls, Look ‘n’ Stop only controls applications accessing network environments, if application be authorized to connect, it is then the job of “Internet filtering” to control packets.

    Regards,
    Phant0m``
     
  16. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    Phant0m...
    [off topic]
    can you direct me to a place where SPI is explained in a patient way... whitepapers, RFC... ANYTHING at all?
    I keep coming up with either two para definitions or something almost, but not quite, entirely unrelated to network security.
    Thx
    [/off topic]
    Edit: when did you move to Mars? You could have come over to the Sea of Tranquility when you were launching off moon you know. My place is only a couple of hours away from the SpacePort by lunar-buggy...
     
Thread Status:
Not open for further replies.