Bugtraq mailing list archives
Re: Router filtering not enough! (Was: Re: CERT advisory )
From: jmb () kryten Atinc COM (Jonathan M. Bresler)
Date: Fri, 27 Jan 1995 08:21:48 -0500 (EST)
On Thu, 26 Jan 1995 smb () research att com wrote:
another method. use the arp cache to check source ip addresses against physical layer addresses, local net packets coming from the Net router, rather then direct from the local machine should be dropped. this is also sufficient to protect against the spoofing attack from the Net.How hard would it be to modify tcpwraper (for example) to check the incomming MAC address on a connection and to be worried if it came from a list of routers but the address was the local net?I think you'll find that the MAC addresses are unavailable once the packet has passed through the ethernet code. I went digging yesterday, looking for _any_ way to get at the MAC header from the IP routines and found, not surprisingly, that the MAC header is kept separately to the rest of the packet, which is passed upto the IP stuff as an mbuf.It's also worth noting that if the attacker is passing through the same router as a trusted host -- say, an outside host that's been blessed by a .rhosts file -- then the MAC address will be correct.
we have lost some context here, the original idea included a router between the internal and external (the Net). this router drops all packet from the Net that purport to come from the internal ip address(es). .rhosts for machines outside your own net constitute a can of worms of their own. (who is managing that machine anyway? how well does he have it configured? how closely does he manage that configuration?) .rhosts for outside machines allows you to skip sending your password over the Net. i would rather use S/key to fulfill that need. i how to look at darren reed's objection this weekend. perhaps the kernel mods are simple, maybe not. more on that later. jmb Jonathan M. Bresler jmb () kryten atinc com | Analysis & Technology, Inc. | 2341 Jeff Davis Hwy play go. | Arlington, VA 22202 ride bike. hack FreeBSD.--ah the good life | 703-418-2800 x346
Current thread:
- Re: Router filtering not enough! (Was: Re: CERT advisory ), (continued)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Jon Peatfield (Jan 27)
- Chances of guessing? Leo Bicknell (Jan 27)
- Re: Chances of guessing? Timothy Newsham (Jan 27)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Darren Reed (Jan 26)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Pete Shipley (Jan 26)
- old post on securing a sunos 4.1.* box joshua geller (Jan 30)
- Re: old post on securing a sunos 4.1.* box pluvius (Jan 30)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) smb () research att com (Jan 26)
- Re: Re: Router filtering not enough! (Was: Re: CERT advisory ) Pete Hartman (Jan 26)
- Re: Re: Router filtering not enough! (Was: Re: CERT advisory ) Jonathan M. Bresler (Jan 27)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Jonathan M. Bresler (Jan 27)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) smb () research att com (Jan 27)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) anonymous () some lame netcom not site (Jan 30)
- list leadership Robert M. Haas (Jan 31)
- Anonymous mailings Adam Shostack (Jan 31)
- list leadership Robert M. Haas (Jan 31)