Bugtraq mailing list archives

Re: Router filtering not enough! (Was: Re: CERT advisory )

From: J.S.Peatfield () amtp cam ac uk (Jon Peatfield)
Date: Fri, 27 Jan 1995 15:27:28 +0000

Does the arp cache really reflect the MAC address of the arriving 
packets, or does it only contain the responses to ARP requests?


I wasn't proposing using the ARP cache, just look at the MAC address on the 
incomming packet.  This should be the address of a router if it was routed.

Take it a step further... mount a denial of service attack against the 
machine being spoofed, then forge its ethernet address on outbound 
packets, and listen in promiscuous mode for the inbound.


You can only do this if you are on the same wire (well MAC level connected 
network really) as the attacked machine.  If you are forwarding IP through a 
router then the MAC address will be that of the router not that of the 
originator.

That said, the tcpwrapper MAC address mods have been on my do list for a 
while.  It will add to your armour but will not be the be-all and end-all.


Indeed you really want a router to prevent this type of attack, but for those 
sites without (or currently without) good enough routers it might help.

  -- Jon

Current thread:

Re: Would an encrypted tunnel solve the SeqNo guessing attack?, (continued)
- - - Re: Would an encrypted tunnel solve the SeqNo guessing attack? Paul Robinson (Jan 27)
    - Very Confused!! Mohamad A Khatoun (Jan 27)
    - Notes from Tsutomo's Talk Michael B. Dilger (Jan 26)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Pete Shipley (Jan 26)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Jon Peatfield (Jan 27)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Aleph One (Jan 31)
  - Re: Router filtering not enough! (Was: Re: CERT advisory ) Daniel O'Callaghan (Jan 26)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Jonathan M. Bresler (Jan 26)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Brian J. Murrell (Jan 26)
    - BOUNCE TEST Scott Chasin (Jan 27)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Jon Peatfield (Jan 27)
    - Chances of guessing? Leo Bicknell (Jan 27)
    - Re: Chances of guessing? Timothy Newsham (Jan 27)
  - Re: Router filtering not enough! (Was: Re: CERT advisory ) Darren Reed (Jan 26)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Pete Shipley (Jan 26)
  - old post on securing a sunos 4.1.* box joshua geller (Jan 30)
    - Re: old post on securing a sunos 4.1.* box pluvius (Jan 30)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) smb () research att com (Jan 26)
- Re: Re: Router filtering not enough! (Was: Re: CERT advisory ) Pete Hartman (Jan 26)
  - Re: Re: Router filtering not enough! (Was: Re: CERT advisory ) Jonathan M. Bresler (Jan 27)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Jonathan M. Bresler (Jan 27)

(Thread continues...)