From owner-freebsd-security Mon Nov 12 17:15:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id EEA4E37B405 for ; Mon, 12 Nov 2001 17:15:23 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id 9D74481D05; Mon, 12 Nov 2001 19:15:18 -0600 (CST) Date: Mon, 12 Nov 2001 19:15:18 -0600 From: Bill Fumerola To: Greg White Cc: security@freebsd.org Subject: Re: Filtering packets based on incoming address [ack. plaintext now] Message-ID: <20011112191518.C81711@elvis.mu.org> References: <001201c16b82$4da9d1e0$9700a8c0@ezri> <20011112134317.A46767@greg.cex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011112134317.A46767@greg.cex.ca>; from gregw-freebsd-security@greg.cex.ca on Mon, Nov 12, 2001 at 01:43:17PM -0800 X-Operating-System: FreeBSD 4.4-FEARSOME-20010909 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Nov 12, 2001 at 01:43:17PM -0800, Greg White wrote: > 1. Remove the 'spoof' rules for RFC1918 addresses (temporarily). > 2. Get to a host on an outside network. > 3. On that host, "route add -net 192.168.0.0/24 ip.of.gate.way", where > the 192.168.0.0 matches your internal network, and 'ip.of.gate.way' > matches your host's external interface. > 4. Sit back and enjoy unfettered access to all those internal hosts. no, if you actually tried this, you'd be sitting back and wondering why it doesn't work. continue reading. > 'Private' addresses are only private if all the routers on the internet > refuse to route them. Most do not. :( incorrect, most do. todays lesson: you can't control nexthop across the modern internet. q: how is attacker getting to victim's gateway? a: through attacker's gateway. q: what will this router do when it gets a packet for 192.168.0.0/24? a: pass the packet to its default gateway (if it has one) or drop it on the floor because it has learned no route for it. q: what will the next router do when it gets a packet for 192.168.0.0/24? a: see previous question. so the 'attack' you describe only works: if you can directly reach the victim over the victim's public interface's link layer. now you have his mac address (or other lladdr) and the manager of the broadcast domain can determine what equipment that mac address (or other lladdr) is hanging off of. OR you have a tunnel between the attacker and victim gateway (ipsec, gre, etc) OR every router in-between is ({un,}willingly) participating in the attack. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org - my anger management counselor can beat up your self-affirmation therapist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message