Re: Router filtering not enough! (Was: Re: CERT advisory )

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Jake Hill: "Re: Solaris 2.3 PPP"
• Previous message: Darren Reed: "Re: Router filtering not enough! (Was: Re: CERT advisory )"

> > > 	another method.  use the arp cache to check source ip addresses 
> > > against physical layer addresses, local net packets coming from the Net 
> > > router, rather then direct from the local machine should be dropped.  
> > > this is also sufficient to protect against the spoofing attack from the Net.
> > 
> > How hard would it be to modify tcpwraper (for example) to check the incomming 
> > MAC address on a connection and to be worried if it came from a list of 
> > routers but the address was the local net?
> 
> I think you'll find that the MAC addresses are unavailable once the packet
> has passed through the ethernet code.  I went digging yesterday, looking
> for _any_ way to get at the MAC header from the IP routines and found, not
> surprisingly, that the MAC header is kept separately to the rest of the
> packet, which is passed upto the IP stuff as an mbuf.

It's also worth noting that if the attacker is passing through the
same router as a trusted host -- say, an outside host that's been
blessed by a .rhosts file -- then the MAC address will be correct.

• Next message: Jake Hill: "Re: Solaris 2.3 PPP"
• Previous message: Darren Reed: "Re: Router filtering not enough! (Was: Re: CERT advisory )"