Bugtraq mailing list archives
Re: Router filtering not enough! (Was: Re: CERT advisory )
From: brian () wimsey com (Brian J. Murrell)
Date: Thu, 26 Jan 1995 18:15:41 -0800 (PST)
As enscripted by Daniel O'Callaghan:
Does the arp cache really reflect the MAC address of the arriving packets, or does it only contain the responses to ARP requests?
The ARP cache is a "one-to-one" relationship table of ip addresses to MAC (ethernet) addresses FOR MACHINES THAT ARE ON THE SAME ETHERNET. That is to say, you may only find MAC addresses in the arp cache for machines that your machine can converse directly with via the ethernet. Any machines that are one or more router (not bridge) hops away will never show up in your ARP cache (barring proxy arp).
If the latter, then consider: Since this week it has been demonstrated that it is not necessary for a reply packet to reach the spoofer, it is not necessary for a spoofing machine to respond to arp requests.
But in real life, the spoofing machine would never be requested to respond to arp anyway, because in real life the spoofer should be on the other side of your firewall router. If the spoofer and spoofee are on the same ether- net then there are serious internal problems that go beyond the scope of firewalls!!
Take it a step further... mount a denial of service attack against the machine being spoofed, then forge its ethernet address on outbound packets, and listen in promiscuous mode for the inbound.
In wide area networks (such as the internet), there are no "ethernet addresses" in outbound packets. In WAN's routers route IP packets, not ethernet packets. The ethernet encpasulation is stripped off the IP packet and replaced by some other encapsulation.
Scarey! That said, the tcpwrapper MAC address mods have been on my do list for a while. It will add to your armour but will not be the be-all and end-all.
It won't do much. The thing to keep in mind is that the "ethernet" portion of the packet (MAC addresses and the like) are removed and added to IP packets as the packets move to and from ethernet media networks. The ethernet encap- sulation you see on a packet in your local net will be different than the encpasulation on the net from which the packet originated, because your router adds the ethernet encapsualtion when it wants to send the packet to a machine in your local net. Further, the originating MAC address of the packet will be that of your router, not the originating machine. b. -- Brian J. Murrell brian () ilinx com InterLinx Support Services, Inc. brian () wimsey com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD
Current thread:
- Loaded system no protection., (continued)
- Loaded system no protection. Leo Bicknell (Jan 27)
- Re: Would an encrypted tunnel solve the SeqNo guessing attack? Marc Tamsky (Jan 27)
- Re: Would an encrypted tunnel solve the SeqNo guessing attack? Paul Robinson (Jan 27)
- Very Confused!! Mohamad A Khatoun (Jan 27)
- Notes from Tsutomo's Talk Michael B. Dilger (Jan 26)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Pete Shipley (Jan 26)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Jon Peatfield (Jan 27)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Aleph One (Jan 31)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Daniel O'Callaghan (Jan 26)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Jonathan M. Bresler (Jan 26)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Brian J. Murrell (Jan 26)
- BOUNCE TEST Scott Chasin (Jan 27)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Jon Peatfield (Jan 27)
- Chances of guessing? Leo Bicknell (Jan 27)
- Re: Chances of guessing? Timothy Newsham (Jan 27)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Darren Reed (Jan 26)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Pete Shipley (Jan 26)
- old post on securing a sunos 4.1.* box joshua geller (Jan 30)
- Re: old post on securing a sunos 4.1.* box pluvius (Jan 30)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) smb () research att com (Jan 26)
- Re: Re: Router filtering not enough! (Was: Re: CERT advisory ) Pete Hartman (Jan 26)