Spoofing the SPA Packet Source Address

The SPA protocol supports spoofed source IP addresses. This is a consequence of two factors: the ability of the fwknop server to acquire the real source address from within the SPA packet payload, and the fact that SPA packets are sent over UDP with no expectation of return traffic.

fwknop uses the Perl Net::RawIP module to send SPA packets via a raw socket, which allows you to set the source IP address to an arbitrary value from the fwknop client command line. (This requires root access.) In Figure 13-3, the spaclient system sends the SPA packet, but the source IP address in the IP header is crafted to make the packet appear to originate from the 207.132.X.X IP address. When fwknopd is running on the spaserver system, it sniffs the SPA packet off the wire, but it grants access to SSHD from the real fwknop client IP address 204.23.X.X instead of from the spoofed source IP address, 207.132.X.X.

fwknop SPA/ SSH Client 204.23.X.X (spaclient)

iptables Firewall/

fwknop SPA Server 71.157.X.X (spaserver)

Connection SSH

iptables Firewall/

fwknop SPA Server 71.157.X.X (spaserver)

Connection SSH

Internet Spoofed

\ Y SPA Packet rs

Internal Net

Spoofed SPA Packet Source Address 207.132.XX

Figure 13-3: An SPA packet from a spoofed source address

Notice that the fwknop client command shown below has become more complicated. This is to support spoofing the source IP address of the SPA packet (as root), but to also build the encrypted payload using the fwknop_client key, which is owned by the mbr user and located within the /home/mbr/ .gnupg directory.

[[email protected] ~]# fwknop --Spoof-src 207.132.X.X -A tcp/22 --gpg-home-dir /home/mbr/.gnupg --Spoof-user mbr --gpg-recip "fwknop_server" --gpg-sign "fwknop_client" --quiet -R -k spaserver GnuPG signing password:

The syslog messages below indicate that the fwknop server sniffed the SPA packet, that it originates from © the spoofed source address 207.132.X.X, and that access is granted to the IP address contained within the encrypted packet, 204.23.X.X.

[[email protected] ~]# tail /var/log/messages

Oct 18 23:31:37 spaserver fwknopd: received valid GnuPG encrypted packet (signed with required key ID: "fwknop_client") from: ©207.132.X.X, remote user: mbr

Oct 18 23:31:37 spaserver fwknopd: adding FWKNOP_INPUT ACCEPT rule for ©204.23.X.X -> tcp/22 (30 seconds)

Was this article helpful?

0 0

Post a comment