Bugtraq mailing list archives

Re: Router filtering not enough! (Was: Re: CERT advisory )

From: jmb () kryten Atinc COM (Jonathan M. Bresler)
Date: Thu, 26 Jan 1995 20:48:26 -0500 (EST)


On Fri, 27 Jan 1995, Daniel O'Callaghan wrote:

  another method.  use the arp cache to check source ip addresses 
against physical layer addresses, local net packets coming from the Net 
router, rather then direct from the local machine should be dropped.  
this is also sufficient to protect against the spoofing attack from the Net.


How hard would it be to modify tcpwraper (for example) to check the incomming 
MAC address on a connection and to be worried if it came from a list of 
routers but the address was the local net?


Does the arp cache really reflect the MAC address of the arriving 
packets, or does it only contain the responses to ARP requests?

If the latter, then consider:

Since this week it has been demonstrated that it is not necessary for a 
reply packet to reach the spoofer, it is not necessary for a spoofing 
machine to respond to arp requests.


        no response, no service.  furthermore, you can cache the arp data 
in a file on your local dns server.  (write a tiny perl script to sit 
around responding to requests, iteratively.  it can also notify you when 
the guy with a pc in the next office decides to start using the wrong ip 
number.  a common problem here, as we bring all the dussss and windoze 
users to the real world)

Take it a step further... mount a denial of service attack against the 
machine being spoofed, then forge its ethernet address on outbound 
packets, and listen in promiscuous mode for the inbound.

Scarey!

That said, the tcpwrapper MAC address mods have been on my do list for a 
while.  It will add to your armour but will not be the be-all and end-all.

Danny


Jonathan M. Bresler  jmb () kryten atinc com    | Analysis & Technology, Inc.  
                                                | 2341 Jeff Davis Hwy
play go.                                        | Arlington, VA 22202
ride bike. hack FreeBSD.--ah the good life      | 703-418-2800 x346

Current thread:

Re: Would an encrypted tunnel solve the SeqNo guessing attack?, (continued)
- - - Re: Would an encrypted tunnel solve the SeqNo guessing attack? Mark (Jan 26)
    - Loaded system no protection. Leo Bicknell (Jan 27)
    - Re: Would an encrypted tunnel solve the SeqNo guessing attack? Marc Tamsky (Jan 27)
    - Re: Would an encrypted tunnel solve the SeqNo guessing attack? Paul Robinson (Jan 27)
    - Very Confused!! Mohamad A Khatoun (Jan 27)
    - Notes from Tsutomo's Talk Michael B. Dilger (Jan 26)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Pete Shipley (Jan 26)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Jon Peatfield (Jan 27)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Aleph One (Jan 31)
  - Re: Router filtering not enough! (Was: Re: CERT advisory ) Daniel O'Callaghan (Jan 26)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Jonathan M. Bresler (Jan 26)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Brian J. Murrell (Jan 26)
    - BOUNCE TEST Scott Chasin (Jan 27)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Jon Peatfield (Jan 27)
    - Chances of guessing? Leo Bicknell (Jan 27)
    - Re: Chances of guessing? Timothy Newsham (Jan 27)
  - Re: Router filtering not enough! (Was: Re: CERT advisory ) Darren Reed (Jan 26)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Pete Shipley (Jan 26)
  - old post on securing a sunos 4.1.* box joshua geller (Jan 30)
    - Re: old post on securing a sunos 4.1.* box pluvius (Jan 30)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) smb () research att com (Jan 26)

(Thread continues...)