routing to a Prvt IP across the net.

Ok a question for you all.

I have a device that has a 172.x.x.x address, sitting inside the network.

Some one had put a rule in the fire wall that say Any source allowed to talk to the 172.x.x.x range.

No the strange this was, that I could see public address from the internet attempting to connect to this device.

My question is how can you route to a specifice prvt ip address from out side a net work (there is no NAT set up on any of our network as we have a 1/4 of a public class B network for any thing we want to have external access.

so how come on my fire wall logs i see things like

source 82.12.125.45 destination 172.34.1.23

and failed log in attempts on the device its self from the 82.12.125.45.

I am assuming this is a case of source based routing, so does any one have any experince of using it our good docs about it?

cheers

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

m3zilla

the class B private range is 172.16 - 172.31.255.255.

According to a couple whois lookup, the 172.32.0.0/11 is allocated to T-Mobile. So err...I guess we know who you're working for

DevilWAH

nope I just randomly typed a 172 address, it was meant to be a prvt address but finger slipped.

if you had seen my previous posts you would know who I work for as I have posted it hear before, i don't work for such a silly company as T mobile, I work wih lots of very cleaver people

it_consultant

Even if you don't have NAT set up you still need a specific rule to tell the firewall how to route a public to a private address. An inbound NAT rule is really two rules, a NAT rule and an allow rule to a specific host. In your case you don't need the NAT rule but you still need an ACL. There isn't a way that I know of that you can have a rule that allows from the public to a range of private IPs. The router won't know how to route it when it receives the packet from the outside.

DevilWAH

I have been reading around this a bit more. you can route from public to privte across the internet using source based routing. With in the IP packet you can set a router through which the packet must pass.

Source routing

gives a very brif over view.

or look "ip source-route" as a cisco command.

If there is a router that on one side has private addresses and the other side public, and a hacker knows the exact IP address of the device with a private address. he can specific in the packet that it must use router as a hop. once the packet reaches this router it will be forwarded to the device as the router will be able to route bot to the private and the public addresses.

many organisations disable source based routing to prevent this kind of attack, how ever it seems looking at the ACL that had been set up they had failed to either disable it, or correctly block attempts.

I think i will play with source based routing a bit as it looks fun

m3zilla

@it_consultant, Static policy nat will allow your to NAT based on source/destination, or ports.

Devil, even if you use lssr, the ISP will still drop the packet if it's destined for a private IP. I would think most ISP also disable lsr. As you can imagine, it would wreck havoc on their network as I can simply go in and create routing loops everywhere by placing a next hop pointing back and forth between 2 routers.

DevilWAH

Actually many ISP (business grade services) do not block it as some business make proper use of the feature.

I think you will find things like split horizon and other measures will be put in place to prevent loops.

So yes while home ISP will stop these things, many business do not go through a standard ISP, We connect direct to he Internet backbone through a scientific infrastructure network. For us there is no "ISP".

PS I can tell you for a fact that at least 20 separate ISP around the world do not block this, as I have the packets logged to prove it

m3zilla

Learn something new everyday!

How would split horizon block this type of routing loop? When you're doing LSRR, you're not technically relying on EIGRP or routing protocols. You're instructing the router where the next hop is, so as long as it can get to the next hop, it's going to send it there, right?

networker050184

DevilWAH wrote: »

So yes while home ISP will stop these things, many business do not go through a standard ISP, We connect direct to he Internet backbone through a scientific infrastructure network. For us there is no "ISP".

The internet backbone is just a bunch of ISPs connected together. You can't get on the internet without hooking to an ISP or peering exchange which is basically just a bunch of ISPs connected in a single point.

As far as routing private addressed packets across the internet, you can't do it. There will be no route for the destination. Source based routing is not going to be supported across the internet.

So, if you are getting packets routed they are either going through a private connection or a tunnel of some sort.

DevilWAH

have you ever tried to hair ping a packet through a router?

try it in a lab..

you will find out of the box it does not work. You have to set up hair-pinning which is not as easy as it sounds. This is why you have to set up "Router on a stick" if you want to route between subnets on the same interface of a router, they do not like sending and reviving a packet on the same interface.

DevilWAH

networker050184 wrote: »

The internet backbone is just a bunch of ISPs connected together. You can't get on the internet without hooking to an ISP or peering exchange which is basically just a bunch of ISPs connected in a single point.

Well if you are the ISP is it still called an ISP to you ??

networker050184 wrote: »

As far as routing private addressed packets across the internet, you can't do it. There will be no route for the destination. Source based routing is not going to be supported across the internet.

124.193.167.1 (based in Beijing) connecting to 172.16.x.x.

pinging it back it goes through several known ISP's, and there is not tunnel or private connection available.
Sadly I don't have a packet capture on the external interface but I will have to get it set up tomorrow.

it_consultant

DevilWAH wrote: »

Well if you are the ISP is it still called an ISP to you ??

If a tree falls in the woods...we are now waxing philosophic.

networker050184

DevilWAH wrote: »

Well if you are the ISP is it still called an ISP to you ??

What else would you call it?

DevilWAH wrote: »

124.193.167.1 (based in Beijing) connecting to 172.16.x.x.

pinging it back it goes through several known ISP's, and there is not tunnel or private connection available.
Sadly I don't have a packet capture on the external interface but I will have to get it set up tomorrow.

The only way this works is to go through NAT or a tunnel. I'd assume the 124 address is hitting a public IP that is being NAT'ed to your private IP there somewhere. If there was private IP space being routed on the internet how would they know who to route it to? Everyone uses the same private space so there would be no way to differentiate. How would my 10 space know to route to me and not the guy next doors 10 space?

DevilWAH

networker050184 wrote: »

The only way this works is to go through NAT or a tunnel. I'd assume the 124 address is hitting a public IP that is being NAT'ed to your private IP there somewhere. If there was private IP space being routed on the internet how would they know who to route it to? Everyone uses the same private space so there would be no way to differentiate. How would my 10 space know to route to me and not the guy next doors 10 space?

No the 124 address is not Natted. logs on the 172.16.x.x device show log on attempts from the 124.193 address. There is no Natting set up any where on the network. And i mean none, with 1/4 of a class B network of public to play with there is no need for natting.

Trace route shows a chineese ISP, a german ISP and then our network.

our network is a direct connection to the internet backbone, and the policy is that every thing is allowed by default. So as far as from me to the backbone of ISP's things like source based routing are allowed.

it_consultant

I think our confusion comes from the fact that in order for a private IP address to function on the larger internet, it must be NAT'd. When you say that it isn't NAT'd and you present a private IP address, our little logic calculators go into an infinite loop and our brains may explode.

DevilWAH

I have to say in the many organisation I have worked for only 2 have used public IP addresses for all internal hosts, and both have been science organisation.

I would also note that this is not a good set up what we have. in my mind private addresses should be kept distance from the network edge and rules should be in place to prevent them getting to or from the out side.

My defense is that this is some one else's set up and has so many error and rubbish thrown in that it would make any half decent engineer cringe. Another fine example is they had set up complex SNMP ro and rw strings, but had not bothered removing the default of public and privet!!! and then allowed SNMP access from the internet!!!

networker050184

So wait, you are saying you see packets with private sources hitting your public addresses or are public addresses hitting your private addresses?

If you are seeing private sourced addresses hit your public devices this is usually due to spoofed source addresses.

If you see public sources hitting your private addresses then the only way this happens is a tunnel, a private connection, NAT or spoofed sources on your own network. Private addresses are simply not routed on the internet.

DevilWAH

public coming in to a private.

No tunnel, no Nat and No private connection. And are picked up hitting the external interface of the router so no they are not spoofed from inside.

I am going to capture some of these packets, and get back to you. but these are packets hitting the external Interface of the router with a public ip going to private

I have an ACL set up on the external interface incoming, set up as

deny host 124.193.167.1 172.16.0.0 0.0.255.255 log

which is logging packets.
there are no tunnels or any thing else set up on the router no ipsec tunnels or nat.

it_consultant

He said he is saying that there are logon attempts from a public address to a private computer. There must be a tunnel or a NAT rule set up for that to happen. I see this on terminal server logs, maybe 100 attempts from a bot network or something.

and failed log in attempts on the device its self from the 82.12.125.45.

networker050184

Its simply impossible for a packet of this type to route across the internet without being tunneled.

it_consultant

Right, NAT is happening somewhere. The devices which are probing the terminal server are using a public IP and the router/firewall is translating them to private, the logs will indicate a connection from a public to a private seemingly without a translation, but it is happening. I have spent many hours troubleshooting Citrix and TS farms.

In fact, the probe is probably attempting the public on 3389, public on 8080, public on 443, public on 80, in order to find a NAT rule which will work. I used to probe firewalls like this using online tools when my client was unable to answer questions for some reason or another.

DevilWAH

Penetration Testing: Re: source routing

The main security problem with LSR is that several IP stacks will reverse a source route when responding to a source routed packet. This means that it would be trivial for an attacker to spoof a packet as coming from a trusted IP address that just so happens to be source routed through an IP address that the attacker can sniff on. The unsuspecting victim would then send return traffic to the spoofed source, but LSR it through the attacker. The attacker can carry on whole TCP sessions in this way without worrying about attacking weaknesses in TCP sequence numbers or lost packets.

networker050184

Right, but this is something that has to be set up. It doesn't just work automatically.