BayLISA - July 15, 2004 - Mark Langston's Through a Sniffer Darkly

[Piotr T Zbiegiel]

Roy S. Rapoport wrote:
> We shouldn't overstate the case.  Mark wrote a sweet piece of software, but
> in any real world implementation it's got some limitations especially when
> traversing networks.
> 
> Mark's software requires the sender to be able to get UDP packets on the
> network of the recipient.  There is one, and only one, case where you're
> practically guaranteed this will be allowed:  When the recipient and sender
> are on the same network.  

People probably never describe your ideas as devilish, fiendish, or 
devious, do they?  Personally, I see Mark's code more easily harnessed 
as a call-back mechanism.  Combine that with the log message 
communication mechanism and you have 2-way communications!  But what do 
I know.  While Mark's tool may not be "kiddie-ready", it does raise 
interesting issues.  Just because you or I or even Mark may not be able 
to figure out all the logistics and problems with this mechanism doesn't 
mean that someone else can't come along, see it all clearly, and create 
one hell of a evil application, put it in a worm or rootkit, and let it rip.

> 
> There are numerous ways one could (and in some cases should) block outbound
> packets generated by Mark's software:
> 1. A reasonable sysadmin must block outbound packets that are not actually
> coming from its own IP address space; 
> 2. A reasonable sysadmin should, if they're concerned about security, do
> internal filtering to ensure people can't IP-spoof across internal
> networks; 

Much of the world is not populated with reasonable sysadmins.  Also, 
let's talk about practical.  Most network guys I know wouldn't burden 
every single router they have with anti-spoofing ACLs for every segment 
they have, they'd put anti-spoofing at the border routers only.

Furthermore, how hard is it to spoof packets from your internal IP 
space.  Let's see, internal IP space is 10/8, that a lot of IPs you 
could spoof.  That would defeat your anti-spoofing ACLs on the border 
routers.

> 3. A reasonable case can be made that one should not allow inbound/outbound
> UDP packets from desktop systems; 

Tell that to the Veep who's breathing down your neck about random app 
#235421 working at their house and not in the office.  He needs that app 
to work now, dammit!  I can't tell you how many times security is 
"overruled" in the name of convenience and functionality.

> 4. Most reasonably-locked-down proxy systems will make this problem go away
> (at my last work, the number of people who could go to the outside world
> without having to go through an authenticating proxy that ONLY did HTTP
> could be counted on the fingers of two hands after a bloody machine shop
> accident).

And what about the 99% of other businesses that don't use proxies for 
outgoing internet access?  Where is this crazy world where all the 
sysadmins are reasonable and security minded and all access is locked 
down without a laundry list of crazy apps like *azaa and IM?  I wanna 
move there, my job would be wonderful then!

The long and short of it is that the world is full of networks that 
don't have all the right settings.  It's great to to use the terms 
"reasonable" and "best-practice" but that's not how things always work. 
    There will always be a place for the wily hacker, cracker, 
script-kiddie, worm, rootkit, etc. as long as there is an Internet. 
Don't dismiss things as unworkable, you may be reading an article on it 
in Phrack before you know it...

Later,
Peter