Re: Router filtering not enough! (Was: Re: CERT advisory )
Jonathan M. Bresler (jmb@kryten.Atinc.COM)
Thu, 26 Jan 1995 20:48:26 -0500 (EST)
On Fri, 27 Jan 1995, Daniel O'Callaghan wrote:
> > > another method. use the arp cache to check source ip addresses
> > > against physical layer addresses, local net packets coming from the Net
> > > router, rather then direct from the local machine should be dropped.
> > > this is also sufficient to protect against the spoofing attack from the Net.
> >
> > How hard would it be to modify tcpwraper (for example) to check the incomming
> > MAC address on a connection and to be worried if it came from a list of
> > routers but the address was the local net?
>
> Does the arp cache really reflect the MAC address of the arriving
> packets, or does it only contain the responses to ARP requests?
>
> If the latter, then consider:
>
> Since this week it has been demonstrated that it is not necessary for a
> reply packet to reach the spoofer, it is not necessary for a spoofing
> machine to respond to arp requests.
no response, no service. furthermore, you can cache the arp data
in a file on your local dns server. (write a tiny perl script to sit
around responding to requests, iteratively. it can also notify you when
the guy with a pc in the next office decides to start using the wrong ip
number. a common problem here, as we bring all the dussss and windoze
users to the real world)
> Take it a step further... mount a denial of service attack against the
> machine being spoofed, then forge its ethernet address on outbound
> packets, and listen in promiscuous mode for the inbound.
>
> Scarey!
>
> That said, the tcpwrapper MAC address mods have been on my do list for a
> while. It will add to your armour but will not be the be-all and end-all.
>
> Danny
>
Jonathan M. Bresler jmb@kryten.atinc.com | Analysis & Technology, Inc.
| 2341 Jeff Davis Hwy
play go. | Arlington, VA 22202
ride bike. hack FreeBSD.--ah the good life | 703-418-2800 x346