[770] in bugtraq
Re: Router filtering not enough! (Was: Re: CERT advisory )
daemon@ATHENA.MIT.EDU (Jonathan M. Bresler)
Wed Jan 25 15:04:25 1995
Date: Wed, 25 Jan 1995 11:59:07 -0500 (EST)
From: "Jonathan M. Bresler" <jmb@kryten.Atinc.COM>
To: Jim Duncan <jim@math.psu.edu>
Cc: rens@imsi.com, ddrew@mci.net, firewalls@GreatCircle.COM, bugtraq@fc.net,
z056716@uprc.com
In-Reply-To: <199501242301.SAA07779@augusta.math.psu.edu>
On Tue, 24 Jan 1995, Jim Duncan wrote:
> > As has been pointed out, only network or
> > transport-level encryption will entirely block these attacks.
>
> That's correct. That and teach people the difference between identification
> and authentication.
a filtering router is enough to prevent this attack from being
used from "the outside".
as i understand the spoofing attack, and correct me if i am wrong,
the source ip address must be used by the destination machine to grant
access (ala rsh, rhosts and friends). ("spoofer" sends "sucker" a packet
whose source ip address is "trusted". "sucker" responds to "trusted".
"spoofer" send "sucker" the third part of the 3 step tcp handshake and
"sucker" considers the connection established. swamp "trusted" with
packets to prevent him from sending resets to "sucker".)
if my net is connected to the Net by a router that drops all
packets from the Net whose source ip address is one of my local ip
addresses AND i only trust local ip addresses, then i am protected from
this attack provided it originates from the Net.
another method. use the arp cache to check source ip addresses
against physical layer addresses, local net packets coming from the Net
router, rather then direct from the local machine should be dropped.
this is also sufficient to protect against the spoofing attack from the Net.
if the attack orignate from a local ip address, well, i have
other problems as well then ;)
jmb
Jonathan M. Bresler jmb@kryten.atinc.com | Analysis & Technology, Inc.
| 2341 Jeff Davis Hwy
play go. | Arlington, VA 22202
ride bike. hack FreeBSD.--ah the good life | 703-418-2800 x346
