Re: Multihome based network attacks

[krymson () gmail com]

I'll answer your questions in reverse order. I will state that I might mispeak or have inaccuracies here, so I implore 
you to search google for your terms, or maybe other listusers will speak up and correct me.

Yes, strong host models are not susceptible to multihomed attacks. Weak host models are susceptible. 

First of all, a multihome situation involves a computer having two or more NICs and having separate network 
configurations on each one. An easy example would be using the wireless NIC in a laptop while it is also plugged into a 
wired network. This would put the laptop on two networks and "multihome" it.

A weak host model will accept packets from either of those networks and give it to the appropriate NIC that is on that 
network. For instance, if you are running a web server that is only listening on the wired network, but someone happens 
to send a packet to that web server over the wireless network using the wired NICs IP address, the OS will go ahead and 
move it over to the wired NICs stack.

An OS like Windows XP likes to have usability over security, and implements a weak host model. Vista will be using a 
strong host model.

Now, what about attacks? Well, attacks like this I wouldn't expect to find all that often, but there is some mischief I 
imagine you could do, especially if you have some knowledge of your target's two networks.

1) You can launch exploit attacks against services on either network, provided you are on one of the networks and know 
the IP addressing of the other network. In the example above, I could craft an exploit packet against your web server 
to penetrate it from the wireless network. The bad part, is that I won't get a response because the web server will 
attempt to communicate replies out to the other network. But if I could get a local admin account created, I can get 
into the system through the wireless network, then.

2) You can flood spoofed packets from the wireless network into the system, which may generate responses and traffic on 
the wired network. Again, though, you need to know the wired IP network addressing.

I wouldn't consider such attacks terribly lucrative, because it requires some insider knowledge or good guessing on 
what is running on a system and the other networks the system is present on. To protect yourself, you should try to 
keep all end-users systems, particularly laptops, using only one network at a time. Don't let users both plug into the 
wired network while also using the wireless. 

One of the more interesting places I see this being a possible issue would be in a corporate environment where users 
have laptops and wireless networking while also having wired networks at their desk. This would be especially important 
for teams like developers who might run insecure web server setups on their Windows XP boxes... This would all be 
compounded by using easily guessable network address spaces on the wired network and insecure wireless configurations 
that could allow someone in the parking lot to associate or break into. A disgruntled employee or former employee could 
cause a little drama...but chances are if someone is running insecure systems on the wired network, they will also be 
insecure on the wireless, and probably can be directly attacked without needing to resort to multihome attacks.

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------