IP spoofing and automatic blocking

Sun Mar 20 22:04:07 2005 A recent newsgroup thread started out with someone asking what he could do about brute force ssh login attempts. The thread attracted attracted a lot of good suggestions, but one statement bothered me. Someone had suggested automatically blocking the ip's of people with too many failed logins. I think that makes perfect sense, but someone else said

"Blocking IPs because of failed logins is a nice way introducing DOS attacks against yourself. What if someone spoofs the IP? "

Well? What if they do? The fear here is that innocent ip's would be locked out, perhaps even many thousands of them, or given enough time even the entire internet..

But there's something wrong here right off the bat. Let's remember something often forgotten about a spoofed ip: the sender never sees anything of your responses.

So.. for this to make sense our hacker has to first come in with a real ip address and fail to login the magic number of times. He then notices that he's been blocked, and revengefully decides to spoof ip's.

What happens next? Well, he may get nowhere because many routers aren't going to accept ip's coming from interfaces they aren't supposed to be on. So, for example, if he arrived at my router trying to pretend to have an address internal to my lan, the router just discards him. But if he can do this with public ip's, yes, he can send spoofed packets. But he can't easily fail a login with a spoofed IP, so he's probably never going to get blocked out. The reason he can't easily do this is because he's never going to see responses - his IP is spoofed, remember? So he has to blindly send logins and passwords, and since many ssh daemons have time restraints in place for multiple logins (see MaxStartups at Security Paranoia - restricting ssh access ), he has to know or guess what those are too!

As most of this type of attack is automated or by completely autonomous worms, I think we can pretty much discount the revenge factor. It's extremely unlikely.

More likely is someone deciding to DOS you deliberately. Perhaps they want to use your IP as part of screwing with someone else (see Spoofing ), or maybe they have some personal reason to ruin your day. If they are aware that you automatically add failed logins, then yes, they could theoretically cause you to block some innocent IP's. That's why you should reset any automatically blocked ip's after some period of time.

But if someone is out to get you with a DOS attack, they have plenty of other ways to proceed. This would just be one possibility, and if that's their intent, your server is probably tied up six ways from Sunday anyway and nobody is going to be able to get to you.

Blocking ip's from failed logins makes sense - that's why sshd can do it. You do have to understand that it is imperfect and make it temporary (as sshd will with MaxStartups). But I do not agree that this invites DOS attacks. I could be wrong, of course, so if you feel otherwise, I'd be interested to hear your reasons.



If this page was useful to you, please click to help others find it:  
Your +1's can help friends, contacts, and others on the web find the best stuff when they search.

Comments?

More Articles by Tony Lawrence - Find me on Google+

Site map | Disclaimer
"IP spoofing and automatic blocking" Copyright March 2005 Tony Lawrence

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.