Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)

Jimmy Hess mysidia at gmail.com
Sun Aug 11 13:23:22 UTC 2013

A strange thought occurs....
Regarding, devices that unintentionally have SNMP open to the public.

They might also have write access open,  which could enable reconfiguring
the device to facilitate full  TCP spoofing, or opening up a tunnel;
 enabling 3 way handshake and everything,  permitting the possible DDoS
 conditions to go well beyond simple UDP reflection.

Those devices that just have SNMP read access;   might reveal enough
information in the exposed MIBs about the device,  timestamps,  connection
table status.....  for an attacker to successfully  inject  false data into
a TCP stream.

For example...  spoofing a TCP message containing a false BGP route
advertisement;   if enough about the state of the router's  TCP connection
table and synchronization numbers,  timestamp,  and other hints about the
state of the random number generator, can be discovered directly or
indirectly through some piece of data in the SNMP MIB....


On Sun, Aug 11, 2013 at 7:45 AM, Florian Weimer <fw at deneb.enyo.de> wrote:

> * Jared Mauch:
> > Number of unique IPs that spoofed a packet to me. (eg: I sent a
> > packet to and responded).
> That's not necessarily proof of spoofing, isn't it?  The system in
> question might legitimately own IP addresses from very different
> networks.  If the system is a router and the service you're pinging is
> not correctly implemented and it picks up the IP address of the
> outgoing interface instead of the source address of the request,
> that's totally expected.
> I'm not saying that BCP 38 is widely implement (it's not, unless
> operators have configured exceptions for ICMP traffic from private
> address, which I very much doubt).  I just think you aren't actually
> measuring spoofing capabilities.


More information about the NANOG mailing list