Bugtraq mailing list archives

Re: Router filtering not enough! (Was: Re: CERT advisory )

From: avalon () coombs anu edu au (Darren Reed)
Date: Fri, 27 Jan 1995 10:55:46 +1100 (EDT)

    another method.  use the arp cache to check source ip addresses 
against physical layer addresses, local net packets coming from the Net 
router, rather then direct from the local machine should be dropped.  
this is also sufficient to protect against the spoofing attack from the Net.


How hard would it be to modify tcpwraper (for example) to check the incomming 
MAC address on a connection and to be worried if it came from a list of 
routers but the address was the local net?


I think you'll find that the MAC addresses are unavailable once the packet
has passed through the ethernet code.  I went digging yesterday, looking
for _any_ way to get at the MAC header from the IP routines and found, not
surprisingly, that the MAC header is kept separately to the rest of the
packet, which is passed upto the IP stuff as an mbuf.

You can get at which interface it came from, but that's it, I'm afraid.

darren

Current thread:

Re: Router filtering not enough! (Was: Re: CERT advisory ), (continued)
- - - Re: Router filtering not enough! (Was: Re: CERT advisory ) Pete Shipley (Jan 26)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Jon Peatfield (Jan 27)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Aleph One (Jan 31)
  - Re: Router filtering not enough! (Was: Re: CERT advisory ) Daniel O'Callaghan (Jan 26)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Jonathan M. Bresler (Jan 26)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Brian J. Murrell (Jan 26)
    - BOUNCE TEST Scott Chasin (Jan 27)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Jon Peatfield (Jan 27)
    - Chances of guessing? Leo Bicknell (Jan 27)
    - Re: Chances of guessing? Timothy Newsham (Jan 27)
  - Re: Router filtering not enough! (Was: Re: CERT advisory ) Darren Reed (Jan 26)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Pete Shipley (Jan 26)
  - old post on securing a sunos 4.1.* box joshua geller (Jan 30)
    - Re: old post on securing a sunos 4.1.* box pluvius (Jan 30)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) smb () research att com (Jan 26)
- Re: Re: Router filtering not enough! (Was: Re: CERT advisory ) Pete Hartman (Jan 26)
  - Re: Re: Router filtering not enough! (Was: Re: CERT advisory ) Jonathan M. Bresler (Jan 27)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Jonathan M. Bresler (Jan 27)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) smb () research att com (Jan 27)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) anonymous () some lame netcom not site (Jan 30)
  - list leadership Robert M. Haas (Jan 31)

(Thread continues...)