[23776] in North American Network Operators' Group
Re: address spoofing
daemon@ATHENA.MIT.EDU (Andrew Brown)
Thu Apr 22 23:04:55 1999
Date: Thu, 22 Apr 1999 23:03:44 -0400
From: Andrew Brown <twofsonet@graffiti.com>
To: Vern Paxson <vern@ee.lbl.gov>
Cc: Daniel Senie <dts@senie.com>, nanog@merit.edu
Reply-To: Andrew Brown <atatat@atatdot.net>
In-Reply-To: <199904230252.TAA19270@daffy.ee.lbl.gov>; from Vern Paxson on Thu, Apr 22, 1999 at 07:52:48PM -0700
Errors-To: owner-nanog-outgoing@merit.edu
>I have traces of FTP PORT directives with Net 10 addresses in them, and
>even one in which a public address was included in the first PORT directive
>but a Net 10 address in a retransmission of the same directive!
i've seen a situation where this happens. the ipfw and ipnat code
that has been integrated into operating systems like netbsd and
openbsd have a "bug" (or a feature, depending on your point of view)
where the port command doesn't get rewritten if the crlf that
terminates the line of the port command are sent in a separate packet
to the ipnat router. in this case the offending sender was a linux
box (surprise?).
since the ipnat code insisted that the crlf come in the same packet,
the port command went out with an (internal) address. my fix for the
problem was to remove the check for the crlf. two other possible
fixes are to drop the incomplete port command (and force
retransmission) or to "buffer" the partial command and wait for the
rest.
--
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org * "ah! i see you have the internet
twofsonet@graffiti.com (Andrew Brown) that goes *ping*!"
andrew@crossbar.com * "information is power -- share the wealth."
