NDIS - Is it an Internet Packet?

NTDEV
1

Hi all,

I have developed an NDIS IM driver for my firewall. When I got an packet, I want to know if it is from internet or from local networks. (connect via DSL-Router included). How can I solve this problem. I need this to protect from hijacking. Example: We receive an packet from 172.16.2.4. This in an RFC private IP. I want to block it when its from Internet.

Plz help me, snippets are welcome

Regards,
Bruce Raynold

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

2

Hi Bruce

I think what you should do is to check the Ethernet header. At offset 12
of this structure, u would find a protocol ID, the value of which would be
0x0800h(Network order) if its an IP packet. U can look up the whole list
of protocol IDs which is of ur interest in the RFCs…i forgot which
one:(…

is this ur problem or something else??

regards
Arijit

Hi all,

I have developed an NDIS IM driver for my firewall. When I got an packet,
I want to know if it is from internet or from local networks. (connect via
DSL-Router included). How can I solve this problem. I need this to protect
from hijacking. Example: We receive an packet from 172.16.2.4. This in an
RFC private IP. I want to block it when its from Internet.

Plz help me, snippets are welcome

Regards,
Bruce Raynold

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@fht-esslingen.de
To unsubscribe send a blank email to xxxxx@lists.osr.com


Arijit Bhattacharyya
Heidjerhof 3,
Room Number 154,
30625 Hannover,
Germany.
Phone number:+49-0511-1325993, +49-0176-24051109

E-mail:xxxxx@fht-esslingen.de

3

You need to look at the From address. Once a packet travels onto your
net, you have no way of identifying whether it came through your router
or was locally generated. However, it’s worse. If your router is doing
NAT, it will have translated the from address its own address on the
local net.

If your router is not doing NAT, and your machine has two IP addresses:
one on the local net and one on the outside net, then you can detect a
spoofed packet because it will have a routable from address and a
non-routable to address.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Bruce Raynold
Sent: Friday, November 19, 2004 2:38 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] NDIS - Is it an Internet Packet?

Hi all,

I have developed an NDIS IM driver for my firewall. When I got an
packet, I want to know if it is from internet or from local networks.
(connect via DSL-Router included). How can I solve this problem. I need
this to protect from hijacking. Example: We receive an packet from
172.16.2.4. This in an RFC private IP. I want to block it when its from
Internet.

Plz help me, snippets are welcome

Regards,
Bruce Raynold

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com — Questions? First check the Kernel Driver FAQ
at http://www.osronline.com/article.cfm?id=256 You are currently
subscribed to ntdev as: xxxxx@dchbk.us To unsubscribe send a blank
email to xxxxx@lists.osr.com

4

What I develop is a personal firewall. And I want to
split access it into local and internet, such like
ZoneAlarm, so how does ZA solve this? Example: When I
allow all incoming packets from Localnet for the app
Generic Host Process and deny all from internet, how
can I detect Internet packets? If there is no way, the
firewall is not secure!?!? :frowning:

If I compare source IP spoofing of local packets from
Internet is possible.

— Benson Margulies schrieb:
> You need to look at the From address. Once a packet
> travels onto your
> net, you have no way of identifying whether it came
> through your router
> or was locally generated. However, it’s worse. If
> your router is doing
> NAT, it will have translated the from address its
> own address on the
> local net.
>
> If your router is not doing NAT, and your machine
> has two IP addresses:
> one on the local net and one on the outside net,
> then you can detect a
> spoofed packet because it will have a routable from
> address and a
> non-routable to address.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf
> Of Bruce Raynold
> Sent: Friday, November 19, 2004 2:38 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] NDIS - Is it an Internet Packet?
>
>
> Hi all,
>
> I have developed an NDIS IM driver for my firewall.
> When I got an
> packet, I want to know if it is from internet or
> from local networks.
> (connect via DSL-Router included). How can I solve
> this problem. I need
> this to protect from hijacking. Example: We receive
> an packet from
> 172.16.2.4. This in an RFC private IP. I want to
> block it when its from
> Internet.
>
> Plz help me, snippets are welcome
>
> Regards,
> Bruce Raynold
>
>
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com — Questions? First check the
> Kernel Driver FAQ
> at http://www.osronline.com/article.cfm?id=256 You
> are currently
> subscribed to ntdev as: xxxxx@dchbk.us To
> unsubscribe send a blank
> email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
xxxxx@lists.osr.com

_________
Gesendet von Yahoo! Mail - Jetzt mit 100MB Speicher kostenlos - Hier anmelden: http://mail.yahoo.de

5

one scenario is when I will block all incoming packets
from Internet to protect port 135,445. Local packets
are allowed. If an arbitary attacker spoof ip source
as local ip he can send exploits to these ports.

So first time I had had a solution, block packets on
Medium = NdisWan. So if a had a dsl-router, the
internet packets come from local ethernet. Does
anybody have an solution to detect internet packets?
or is there no need to filter when i have a dsl
router?

What do other firewalls?

— Benson Margulies wrote:

> You need to look at the From address. Once a packet
> travels onto your
> net, you have no way of identifying whether it came
> through your router
> or was locally generated. However, it’s worse. If
> your router is doing
> NAT, it will have translated the from address its
> own address on the
> local net.
>
> If your router is not doing NAT, and your machine
> has two IP addresses:
> one on the local net and one on the outside net,
> then you can detect a
> spoofed packet because it will have a routable from
> address and a
> non-routable to address.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf
> Of Bruce Raynold
> Sent: Friday, November 19, 2004 2:38 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] NDIS - Is it an Internet Packet?
>
>
> Hi all,
>
> I have developed an NDIS IM driver for my firewall.
> When I got an
> packet, I want to know if it is from internet or
> from local networks.
> (connect via DSL-Router included). How can I solve
> this problem. I need
> this to protect from hijacking. Example: We receive
> an packet from
> 172.16.2.4. This in an RFC private IP. I want to
> block it when its from
> Internet.
>
> Plz help me, snippets are welcome
>
> Regards,
> Bruce Raynold
>
> ________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com — Questions? First check the
> Kernel Driver FAQ
> at http://www.osronline.com/article.cfm?id=256 You
> are currently
> subscribed to ntdev as: xxxxx@dchbk.us To
> unsubscribe send a blank
> email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
xxxxx@lists.osr.com
Do you Yahoo!?
Meet the all-new My Yahoo! - Try it today!
http://my.yahoo.com

6

Bruce Raynold wrote:

<>What I develop is a personal firewall. And I want to
split access it into local and internet, such like
ZoneAlarm, so how does ZA solve this? Example: When I
allow all incoming packets from Localnet for the app
Generic Host Process and deny all from internet, how
can I detect Internet packets? If there is no way, the
firewall is not secure!?!? :frowning:

If I compare source IP spoofing of local packets from
Internet is possible.

  1. You have to understand how IP and above protocols operate. (ie. what
    is a network and a subnet, how is it defined, etc)
  2. You must understand how firewalls work (and I mean FIREWALLS not ZA)
  3. Take a look at GetAdaptersInfo() function …


Imagine a school with children that can read and write, but with teachers who cannot, and you have a metaphor of the Information Age in which we live.
— Peter Cochrane


This message was scanned for spam and viruses by BitDefender
For more information please visit http://www.bitdefender.com/

7

Bruce Raynold wrote:

What I develop is a personal firewall. And I want to
split access it into local and internet, such like
ZoneAlarm, so how does ZA solve this? Example: When I
allow all incoming packets from Localnet for the app
Generic Host Process and deny all from internet, how
can I detect Internet packets? If there is no way, the
firewall is not secure!?!? :frowning:

Zone Alarm and most(all?) other firewalls do this by exploiting the fact
that they usually have more than one network adapter. One network
adapter is designated Localnet and one is designated Internet so you
then know the source of the frame based on which network adapter it
comes from. If you only have a single network adapter you cannot make
this designation making it impossible to detect spoofing 100% reliably.

Mike

8

Bruce,

I think if anyone here knows exactly how for instance ZoneAlarm works, they
wouldn’t be able to tell you because they would be bound by non-disclosure
agreements etc.

But the comment from Benson, I can expand a bit on:

If you have a router that supports NAT, the packet will be re-addressed by
the router so that it looks like an internal one from your network. So a
packet is sent from the outside by 146.192.32.11:4612 to your 160.9.9.3:80
via the 160.9.9.1 router. The packet will then be given a unique port
number and an internal IP address to match the local network: so the sender
will look like 160.9.9.42:36721. There’s obviously no way you can tell that
this packet came from anywhere outside your local network, unless your
software is inside the router.

So, as others stated, the easy solution for making a firewall is to have
separate network connections (internal network and outside network), where
the connection to the outside is viewed with high suspicion, and the
internal one is a less strict rule of what’s allowed and not. You probably
still want to check for suspicious activity on the internal network
(unusually large packets sent to identified ports, for instance), just in
case someone decides to run “Bombs’r’us” software on their machine…

You don’t necessarily have to have two network cards as such, you may well
have a situation where the external port is a USB ADSL or Cable modem, and
the internal network is 100Mb/s ethernet.

Mats

xxxxx@lists.osr.com wrote on 11/19/2004 03:07:43 PM:

one scenario is when I will block all incoming packets
from Internet to protect port 135,445. Local packets
are allowed. If an arbitary attacker spoof ip source
as local ip he can send exploits to these ports.

So first time I had had a solution, block packets on
Medium = NdisWan. So if a had a dsl-router, the
internet packets come from local ethernet. Does
anybody have an solution to detect internet packets?
or is there no need to filter when i have a dsl
router?

What do other firewalls?

— Benson Margulies wrote:
>
> > You need to look at the From address. Once a packet
> > travels onto your
> > net, you have no way of identifying whether it came
> > through your router
> > or was locally generated. However, it’s worse. If
> > your router is doing
> > NAT, it will have translated the from address its
> > own address on the
> > local net.
> >
> > If your router is not doing NAT, and your machine
> > has two IP addresses:
> > one on the local net and one on the outside net,
> > then you can detect a
> > spoofed packet because it will have a routable from
> > address and a
> > non-routable to address.
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf
> > Of Bruce Raynold
> > Sent: Friday, November 19, 2004 2:38 AM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] NDIS - Is it an Internet Packet?
> >
> >
> > Hi all,
> >
> > I have developed an NDIS IM driver for my firewall.
> > When I got an
> > packet, I want to know if it is from internet or
> > from local networks.
> > (connect via DSL-Router included). How can I solve
> > this problem. I need
> > this to protect from hijacking. Example: We receive
> > an packet from
> > 172.16.2.4. This in an RFC private IP. I want to
> > block it when its from
> > Internet.
> >
> > Plz help me, snippets are welcome
> >
> > Regards,
> > Bruce Raynold
> >
> > ________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> > protection around
> > http://mail.yahoo.com — Questions? First check the
> > Kernel Driver FAQ
> > at http://www.osronline.com/article.cfm?id=256 You
> > are currently
> > subscribed to ntdev as: xxxxx@dchbk.us To
> > unsubscribe send a blank
> > email to xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as:
> > xxxxx@yahoo.com
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
>
>
>
> Do you Yahoo!?
> Meet the all-new My Yahoo! - Try it today!
> http://my.yahoo.com
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.
> osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@3dlabs.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

> ForwardSourceID:NT000078F2

9

I don’t think that NAT or any router changes the packet’s source address
even if it is coming from outside. There is no need to change the source
address of a packet which is coming to a NAT router from outside. NAT
routers only changes the source address of the packets which are sent via
the NAT router to outside network.

Though it may not be able to prevent all the spoofing cases, a way i can
think of is to use the subnet mask allocated to the NIC which receive the
packet and the source IP address of the received packet to see if the packet
came from the local network or outside.

Thanks
Pankaj

“Mats PETERSSON” wrote in message
news:xxxxx@ntdev…
>
>
>
>
>
> Bruce,
>
> I think if anyone here knows exactly how for instance ZoneAlarm works,
they
> wouldn’t be able to tell you because they would be bound by non-disclosure
> agreements etc.
>
> But the comment from Benson, I can expand a bit on:
>
> If you have a router that supports NAT, the packet will be re-addressed by
> the router so that it looks like an internal one from your network. So a
> packet is sent from the outside by 146.192.32.11:4612 to your 160.9.9.3:80
> via the 160.9.9.1 router. The packet will then be given a unique port
> number and an internal IP address to match the local network: so the
sender
> will look like 160.9.9.42:36721. There’s obviously no way you can tell
that
> this packet came from anywhere outside your local network, unless your
> software is inside the router.
>
> So, as others stated, the easy solution for making a firewall is to have
> separate network connections (internal network and outside network), where
> the connection to the outside is viewed with high suspicion, and the
> internal one is a less strict rule of what’s allowed and not. You probably
> still want to check for suspicious activity on the internal network
> (unusually large packets sent to identified ports, for instance), just in
> case someone decides to run “Bombs’r’us” software on their machine…
>
> You don’t necessarily have to have two network cards as such, you may well
> have a situation where the external port is a USB ADSL or Cable modem, and
> the internal network is 100Mb/s ethernet.
>
> —
> Mats
>
> xxxxx@lists.osr.com wrote on 11/19/2004 03:07:43 PM:
>
> >
> > one scenario is when I will block all incoming packets
> > from Internet to protect port 135,445. Local packets
> > are allowed. If an arbitary attacker spoof ip source
> > as local ip he can send exploits to these ports.
> >
> > So first time I had had a solution, block packets on
> > Medium = NdisWan. So if a had a dsl-router, the
> > internet packets come from local ethernet. Does
> > anybody have an solution to detect internet packets?
> > or is there no need to filter when i have a dsl
> > router?
> >
> > What do other firewalls?
> >
> >
> > — Benson Margulies wrote:
> >
> > > You need to look at the From address. Once a packet
> > > travels onto your
> > > net, you have no way of identifying whether it came
> > > through your router
> > > or was locally generated. However, it’s worse. If
> > > your router is doing
> > > NAT, it will have translated the from address its
> > > own address on the
> > > local net.
> > >
> > > If your router is not doing NAT, and your machine
> > > has two IP addresses:
> > > one on the local net and one on the outside net,
> > > then you can detect a
> > > spoofed packet because it will have a routable from
> > > address and a
> > > non-routable to address.
> > >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com] On Behalf
> > > Of Bruce Raynold
> > > Sent: Friday, November 19, 2004 2:38 AM
> > > To: Windows System Software Devs Interest List
> > > Subject: [ntdev] NDIS - Is it an Internet Packet?
> > >
> > >
> > > Hi all,
> > >
> > > I have developed an NDIS IM driver for my firewall.
> > > When I got an
> > > packet, I want to know if it is from internet or
> > > from local networks.
> > > (connect via DSL-Router included). How can I solve
> > > this problem. I need
> > > this to protect from hijacking. Example: We receive
> > > an packet from
> > > 172.16.2.4. This in an RFC private IP. I want to
> > > block it when its from
> > > Internet.
> > >
> > > Plz help me, snippets are welcome
> > >
> > > Regards,
> > > Bruce Raynold
> > >
> > > ________________
> > > Do You Yahoo!?
> > > Tired of spam? Yahoo! Mail has the best spam
> > > protection around
> > > http://mail.yahoo.com — Questions? First check the
> > > Kernel Driver FAQ
> > > at http://www.osronline.com/article.cfm?id=256 You
> > > are currently
> > > subscribed to ntdev as: xxxxx@dchbk.us To
> > > unsubscribe send a blank
> > > email to xxxxx@lists.osr.com
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as:
> > > xxxxx@yahoo.com
> > > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> >
> >
> >
> >
> >
> > Do you Yahoo!?
> > Meet the all-new My Yahoo! - Try it today!
> > http://my.yahoo.com
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at http://www.
> > osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@3dlabs.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> > ForwardSourceID:NT000078F2
>
>

10

You cannot do this on a desktop, only on the router.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: Bruce Raynold
To: Windows System Software Devs Interest List
Sent: Friday, November 19, 2004 10:37 AM
Subject: [ntdev] NDIS - Is it an Internet Packet?

Hi all,

I have developed an NDIS IM driver for my firewall. When I got an packet, I want to know if it is from internet or from local networks. (connect via DSL-Router included). How can I solve this problem. I need this to protect from hijacking. Example: We receive an packet from 172.16.2.4. This in an RFC private IP. I want to block it when its from Internet.

Plz help me, snippets are welcome

Regards,
Bruce Raynold

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com — Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: xxxxx@storagecraft.com To unsubscribe send a blank email to xxxxx@lists.osr.com

11

> allow all incoming packets from Localnet for the app

Generic Host Process and deny all from internet, how
can I detect Internet packets?

By source IP address. If the source IP address belongs to the local network -
then it is local. All other addresses are Internet ones.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

12

> are allowed. If an arbitary attacker spoof ip source

as local ip he can send exploits to these ports.

Yes, and no firewall can protect from this.

anybody have an solution to detect internet packets?

No such solutions for a case of spoofing, sorry. You must rely on router’s
NAT/firewall security to detect this. No measures on local machine can help.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

13

> I think if anyone here knows exactly how for instance ZoneAlarm works, they

wouldn’t be able to tell you because they would be bound by non-disclosure
agreements etc.

All such things can be derived from TCP and IP packet header layout, which was
not invented by ZoneAlarm.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

14

Thanks to all,

Connect via Router:

The user have to config the router firewall.

Connect via DSL, modem, ISDN and more…

Inspect the packet if it comes from the internet
adapter, which has the user selected.
Another Way I can compare Medium == NdisMediumWan in
NDIS IM driver, if it’s true, it’s an internet packet,
otherwise, it’s localnet.

Summary:
Way 1: Local Adapter: localnet
Internet Adapter: inet
Way 2: Medium == NdisMediumWan: inet
otherwise: localnet
Router: No way to determine if it’s inet or localnet
(No need for personal firewall, DLL Injection
Protection etc only)

All right?

Thanks,
Bruce Raynold

Do you Yahoo!?
The all-new My Yahoo! - Get yours free!
http://my.yahoo.com

15

> > anybody have an solution to detect internet packets?

No such solutions for a case of spoofing, sorry. You must rely on router’s
NAT/firewall security to detect this. No measures on local machine can
help.

What about looking at the source MAC address? Should be the router’s for all
packets coming from the internet?

A

16

thanks,

I will put it together with adapter selection.

It will be a great firewall!

— Andreas Hansson
wrote:

>
> > > anybody have an solution to detect internet
> packets?
> >
> > No such solutions for a case of spoofing, sorry.
> You must rely on router’s
> > NAT/firewall security to detect this. No measures
> on local machine can
> help.
> >
>
> What about looking at the source MAC address? Should
> be the router’s for all
> packets coming from the internet?
>
>
> A
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>

__________________________________
Do you Yahoo!?
Meet the all-new My Yahoo! - Try it today!
http://my.yahoo.com