[813] in bugtraq
Re: Router filtering not enough! (Was: Re: CERT advisory )
daemon@ATHENA.MIT.EDU (Jon Peatfield)
Fri Jan 27 12:55:39 1995
To: "Daniel O'Callaghan" <danny@miriworld.its.unimelb.EDU.AU>
Cc: "Jonathan M. Bresler" <jmb@kryten.Atinc.COM>,
Jim Duncan <jim@math.psu.edu>, rens@imsi.com, ddrew@mci.net,
firewalls@GreatCircle.COM, bugtraq@fc.net, z056716@uprc.com,
jp107@amtp.cam.ac.uk
In-Reply-To: Your message of "Fri, 27 Jan 1995 09:33:37 +1100."
<Pine.3.89.9501270907.C314-0100000@miriworld.its.unimelb.edu.au>
Date: Fri, 27 Jan 1995 15:27:28 +0000
From: Jon Peatfield <J.S.Peatfield@amtp.cam.ac.uk>
> Does the arp cache really reflect the MAC address of the arriving
> packets, or does it only contain the responses to ARP requests?
I wasn't proposing using the ARP cache, just look at the MAC address on the
incomming packet. This should be the address of a router if it was routed.
> Take it a step further... mount a denial of service attack against the
> machine being spoofed, then forge its ethernet address on outbound
> packets, and listen in promiscuous mode for the inbound.
You can only do this if you are on the same wire (well MAC level connected
network really) as the attacked machine. If you are forwarding IP through a
router then the MAC address will be that of the router not that of the
originator.
> That said, the tcpwrapper MAC address mods have been on my do list for a
> while. It will add to your armour but will not be the be-all and end-all.
Indeed you really want a router to prevent this type of attack, but for those
sites without (or currently without) good enough routers it might help.
-- Jon
