On Fri, 27 Jan 1995, Daniel O'Callaghan wrote: > > > another method. use the arp cache to check source ip addresses > > > against physical layer addresses, local net packets coming from the Net > > > router, rather then direct from the local machine should be dropped. > > > this is also sufficient to protect against the spoofing attack from the Net. > > > > How hard would it be to modify tcpwraper (for example) to check the incomming > > MAC address on a connection and to be worried if it came from a list of > > routers but the address was the local net? > > Does the arp cache really reflect the MAC address of the arriving > packets, or does it only contain the responses to ARP requests? > > If the latter, then consider: > > Since this week it has been demonstrated that it is not necessary for a > reply packet to reach the spoofer, it is not necessary for a spoofing > machine to respond to arp requests. no response, no service. furthermore, you can cache the arp data in a file on your local dns server. (write a tiny perl script to sit around responding to requests, iteratively. it can also notify you when the guy with a pc in the next office decides to start using the wrong ip number. a common problem here, as we bring all the dussss and windoze users to the real world) > Take it a step further... mount a denial of service attack against the > machine being spoofed, then forge its ethernet address on outbound > packets, and listen in promiscuous mode for the inbound. > > Scarey! > > That said, the tcpwrapper MAC address mods have been on my do list for a > while. It will add to your armour but will not be the be-all and end-all. > > Danny > Jonathan M. Bresler jmb@kryten.atinc.com | Analysis & Technology, Inc. | 2341 Jeff Davis Hwy play go. | Arlington, VA 22202 ride bike. hack FreeBSD.--ah the good life | 703-418-2800 x346