[803] in bugtraq
Re: Router filtering not enough! (Was: Re: CERT advisory )
daemon@ATHENA.MIT.EDU (smb@research.att.com)
Thu Jan 26 23:03:53 1995
From: smb@research.att.com
To: Darren Reed <avalon@coombs.anu.edu.au>
Cc: J.S.Peatfield@amtp.cam.ac.uk (Jon Peatfield), jmb@kryten.Atinc.COM,
jim@math.psu.edu, rens@imsi.com, ddrew@mci.net,
firewalls@GreatCircle.COM, bugtraq@fc.net, z056716@uprc.com,
jp107@amtp.cam.ac.uk
Date: Thu, 26 Jan 95 21:26:22 EST
> > > another method. use the arp cache to check source ip addresses
> > > against physical layer addresses, local net packets coming from the Net
> > > router, rather then direct from the local machine should be dropped.
> > > this is also sufficient to protect against the spoofing attack from the Net.
> >
> > How hard would it be to modify tcpwraper (for example) to check the incomming
> > MAC address on a connection and to be worried if it came from a list of
> > routers but the address was the local net?
>
> I think you'll find that the MAC addresses are unavailable once the packet
> has passed through the ethernet code. I went digging yesterday, looking
> for _any_ way to get at the MAC header from the IP routines and found, not
> surprisingly, that the MAC header is kept separately to the rest of the
> packet, which is passed upto the IP stuff as an mbuf.
It's also worth noting that if the attacker is passing through the
same router as a trusted host -- say, an outside host that's been
blessed by a .rhosts file -- then the MAC address will be correct.
