Date: Mon, 12 Nov 2001 19:15:18 -0600 From: Bill Fumerola <billf@mu.org> To: Greg White <gregw-freebsd-security@greg.cex.ca> Cc: security@freebsd.org Subject: Re: Filtering packets based on incoming address [ack. plaintext now] Message-ID: <20011112191518.C81711@elvis.mu.org> In-Reply-To: <20011112134317.A46767@greg.cex.ca>; from gregw-freebsd-security@greg.cex.ca on Mon, Nov 12, 2001 at 01:43:17PM -0800 References: <001201c16b82$4da9d1e0$9700a8c0@ezri> <20011112134317.A46767@greg.cex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 12, 2001 at 01:43:17PM -0800, Greg White wrote:
> 1. Remove the 'spoof' rules for RFC1918 addresses (temporarily).
> 2. Get to a host on an outside network.
> 3. On that host, "route add -net 192.168.0.0/24 ip.of.gate.way", where
> the 192.168.0.0 matches your internal network, and 'ip.of.gate.way'
> matches your host's external interface.
> 4. Sit back and enjoy unfettered access to all those internal hosts.
no, if you actually tried this, you'd be sitting back and wondering why
it doesn't work. continue reading.
> 'Private' addresses are only private if all the routers on the internet
> refuse to route them. Most do not. :(
incorrect, most do.
todays lesson: you can't control nexthop across the modern internet.
q: how is attacker getting to victim's gateway?
a: through attacker's gateway.
q: what will this router do when it gets a packet for 192.168.0.0/24?
a: pass the packet to its default gateway (if it has one) or drop it
on the floor because it has learned no route for it.
q: what will the next router do when it gets a packet for 192.168.0.0/24?
a: see previous question.
so the 'attack' you describe only works:
if you can directly reach the victim over the victim's public interface's
link layer. now you have his mac address (or other lladdr) and the
manager of the broadcast domain can determine what equipment that mac
address (or other lladdr) is hanging off of.
OR
you have a tunnel between the attacker and victim gateway (ipsec, gre, etc)
OR
every router in-between is ({un,}willingly) participating in the attack.
--
- bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org
- my anger management counselor can beat up your self-affirmation therapist
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011112191518.C81711>