nanog mailing list archives

Re: Land and Cisco question


From: woods () most weird com (Greg A. Woods)
Date: Mon, 24 Nov 1997 20:49:25 -0500 (EST)

[ On Mon, November 24, 1997 at 19:38:49 (-0500), Dean Anderson wrote: ]
Subject: Re: Land and Cisco question

At 4:54 AM -0500 11/23/97, Alan Barrett wrote:
Randy Bush said:
for each interface on a router
  block tcp which is both to and from that interface

I don't think that's sufficient.  What about spoofed packets arriving via
interface A, with IP source and destination both set to the address of
interface B?

In this case the packets must eventually be transmitted via interface B and
Interface B transmit rules should take care of that.

There is already a modified version of the "land" attack that may make
protection of vulnerable gear by it's own interface filters a bit tricky.

It involves sending multiple spoofed SYN attacks in quick succession to
more than one interface on the device and in such a configuration that
there are pairs which point at each other.  Supposedly this variant of
the attack has been successful (or at least analysis showed it would be
successful) against some versions of 4.4BSD TCP/IP.

Indeed it still should be possible to write correct filters for all
interfaces to protect against this variant of the attack, but without
algorithmic help in defining them the problem may become too complex for
the average human to solve without error.  I think the "mkfilters" perl
script included with ipfilter does a fairly decent job of writing such
rules, though the one time I've had occasion to use it on a small core
router with a mere six interfaces I still had so spend some time fixing
its output up because it didn't handle subnet netmasks very well.

-- 
                                                        Greg A. Woods

+1 416 443-1734      VE3TCP      <gwoods () acm org>      <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>


Current thread: