On Thu, 26 Jan 1995, Jon Peatfield wrote: > > another method. use the arp cache to check source ip addresses > > against physical layer addresses, local net packets coming from the Net > > router, rather then direct from the local machine should be dropped. > > this is also sufficient to protect against the spoofing attack from the Net. > > How hard would it be to modify tcpwraper (for example) to check the incomming > MAC address on a connection and to be worried if it came from a list of > routers but the address was the local net? Does the arp cache really reflect the MAC address of the arriving packets, or does it only contain the responses to ARP requests? If the latter, then consider: Since this week it has been demonstrated that it is not necessary for a reply packet to reach the spoofer, it is not necessary for a spoofing machine to respond to arp requests. Take it a step further... mount a denial of service attack against the machine being spoofed, then forge its ethernet address on outbound packets, and listen in promiscuous mode for the inbound. Scarey! That said, the tcpwrapper MAC address mods have been on my do list for a while. It will add to your armour but will not be the be-all and end-all. Danny