A.P. Lawrence

IP spoofing and automatic blocking

Author: TonyLawrence
Date: Sun Mar 20 22:04:07 2005
Subject: IP spoofing and automatic blocking

A recent newsgroup thread started out with someone asking what he could do about brute force ssh login attempts. The thread attracted attracted a lot of good suggestions, but one statement bothered me. Someone had suggested automatically blocking the ip's of people with too many failed logins. I think that makes perfect sense, but someone else said

"Blocking IPs because of failed logins is a nice way introducing
DOS attacks against yourself. What if someone spoofs the IP? "

Well? What if they do? The fear here is that innocent ip's would be locked out, perhaps even many thousands of them, or given enough time even the entire internet..

But there's something wrong here right off the bat. Let's remember something often forgotten about a spoofed ip: the sender never sees anything of your responses.

So.. for this to make sense our hacker has to first come in with a real ip address and fail to login the magic number of times. He then notices that he's been blocked, and revengefully decides to spoof ip's.

What happens next? Well, he may get nowhere because many routers aren't going to accept ip's coming from interfaces they aren't supposed to be on. So, for example, if he arrived at my router trying to pretend to have an address internal to my lan, the router just discards him. But if he can do this with public ip's, yes, he can send spoofed packets. But he can't easily fail a login with a spoofed IP, so he's probably never going to get blocked out. The reason he can't easily do this is because he's never going to see responses - his IP is spoofed, remember? So he has to blindly send logins and passwords, and since many ssh daemons have time restraints in place for multiple logins (see MaxStartups at Security Paranoia - restricting ssh access ), he has to know or guess what those are too!

As most of this type of attack is automated or by completely autonomous worms, I think we can pretty much discount the revenge factor. It's extremely unlikely.

More likely is someone deciding to DOS you deliberately. Perhaps they want to use your IP as part of screwing with someone else (see Spoofing ), or maybe they have some personal reason to ruin your day. If they are aware that you automatically add failed logins, then yes, they could theoretically cause you to block some innocent IP's. That's why you should reset any automatically blocked ip's after some period of time.

But if someone is out to get you with a DOS attack, they have plenty of other ways to proceed. This would just be one possibility, and if that's their intent, your server is probably tied up six ways from Sunday anyway and nobody is going to be able to get to you.

Blocking ip's from failed logins makes sense - that's why sshd can do it. You do have to understand that it is imperfect and make it temporary (as sshd will with MaxStartups). But I do not agree that this invites DOS attacks. I could be wrong, of course, so if you feel otherwise, I'd be interested to hear your reasons.

Site map | Disclaimer
/Blog2005/TonyLawrence3.html copyright and reprint notice