Wednesday, 1 October 2014

Scan the internet for Autonomous Systems that can perform IP spoofing

I have always been interested in IP spoofing. I would say it's something "elegant", and it's a neat way to show how the Internet works, or rather how there are some inherent flaws with it. My greatest geek pride is a hack based on IP spoofing and source IP-port guessing, that allowed me to make players shit carrots while walking.

Unfortunately, IP spoofing enables shitkids to have in the virtual world the leverage they don't have in real life, and I'm talking about DRDoS. Lately I've been involved in protecting the very same game that I hacked against this kind of attacks. And of course, since I live in a constant moral greyzone, I couldn't miss experimenting in the other side of the front.

What and How

Performing IP spoofing requires a machine in an AS that allow such packets to be effectively sent out of its network. Finding one of these is no more a trivial task as it was years ago, and the knowledge of which providers allow that is usually not accessible for free. There are some places where you can find the worst scum of internet, and rent services from these fishy individuals, but it's usually a very unpleasing experience if you are there just for the sake of knowledge. So I started thinking how I could harvest for this kind of AS.

My idea is pretty simple:
  • pick a protocol that causes one query packet to be answered with an answer with controllable payload
  • force the above-mentioned payload to be the destination IP (the "visible global IP" of the host) of the query packet
  • inspect the response and check for weird mismatches between the payload and the source address.
It is true that the source address should match the payload even in AS that allows IP spoofing, but my worldwide scan shows that there is a lot of hosts that send out the weirdest shit, because connection tracking, NAT or routing altogether is not properly configured. And this post is exactly about these results.


First guess for the protocol? ICMP ping. Universal, reliable as the query payload is transmitted back as is, and generally not filtered.
I wrote my own simple C++ program that pings the internet in a pseudo random order, so that a single target network doesn't get a sudden spike of traffic (just like other tools do), and the result gathering was just tcpdump and some awkward bash scripts. I'm not going to share the code because I don't want lamers to gain from my ideas without effort, and also because I simply lost it. I decided to limit the results to host that sent non-globally routable source addresses, as there is no chance to incur in false positives: a simple mismatch of the payload and the source address is most probably caused by bad connection tracking and hosts with multiple network interfaces.
If you attempt to reproduce these results, be aware of two things. First you'll get abuse complaints, even for a ping scan, that has had no known vulnerabilities in the last 30 years I think. American university networks seem to be the most hysterical, and I would like to have a word about that in another future rant post. Second, I used a machine in a hosting provider which has different datacenters, and of the two that I tried only one was capable of receiving replies with weird invalid source addresses.


Here is a plot of the raw number of hits for reserved IP classes.

Judge yourself. I find this rather amusing.
One remarkable thing is the complete lack of, which every host should have attached to the loopback interface. In my opinion, this is due to the fact that a packet with this source address would need to be originated from the loopback interface, and at least the linux kernel seems to have hardcoded behaviors that make the packet "stick" to the interface (that is even policy based routing is ignored and the packet is directly looped to the host).

I'm not going  to provide the raw capture files, so don't bother asking.


Thanks to user dzrtguy on reddit that reminded me of the existence of bogons. I included them in the graph even though it doesn't strictly mean that these AS allow spoofing. Also beware that I ran this scan in May 2014, and I fetched the bogons list today October 1st, so there might be false positives or misses: the former is more likely as the bogon list should contain not yet assigned addresses.

No comments:

Post a Comment