nanog mailing list archives
Re: Land and Cisco question
From: woods () most weird com (Greg A. Woods)
Date: Mon, 24 Nov 1997 20:49:25 -0500 (EST)
[ On Mon, November 24, 1997 at 19:38:49 (-0500), Dean Anderson wrote: ]
Subject: Re: Land and Cisco question At 4:54 AM -0500 11/23/97, Alan Barrett wrote:Randy Bush said:for each interface on a router block tcp which is both to and from that interfaceI don't think that's sufficient. What about spoofed packets arriving via interface A, with IP source and destination both set to the address of interface B?In this case the packets must eventually be transmitted via interface B and Interface B transmit rules should take care of that.
There is already a modified version of the "land" attack that may make protection of vulnerable gear by it's own interface filters a bit tricky. It involves sending multiple spoofed SYN attacks in quick succession to more than one interface on the device and in such a configuration that there are pairs which point at each other. Supposedly this variant of the attack has been successful (or at least analysis showed it would be successful) against some versions of 4.4BSD TCP/IP. Indeed it still should be possible to write correct filters for all interfaces to protect against this variant of the attack, but without algorithmic help in defining them the problem may become too complex for the average human to solve without error. I think the "mkfilters" perl script included with ipfilter does a fairly decent job of writing such rules, though the one time I've had occasion to use it on a small core router with a mere six interfaces I still had so spend some time fixing its output up because it didn't handle subnet netmasks very well. -- Greg A. Woods +1 416 443-1734 VE3TCP <gwoods () acm org> <robohack!woods> Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Current thread:
- Re: Land and Cisco question, (continued)
- Re: Land and Cisco question Joe Shaw (Nov 23)
- Re: Land and Cisco question Randy Bush (Nov 23)
- why not peer with LS disabling networks ? Lyndon Levesley (Nov 23)
- Re: why not peer with LS disabling networks ? John Hawkinson (Nov 23)
- Re: why not peer with LS disabling networks ? Randy Bush (Nov 23)
- Re: why not peer with LS disabling networks ? Paul Ferguson (Nov 24)
- Re: why not peer with LS disabling networks ? Network Operations Center (Nov 24)
- Re: why not peer with LS disabling networks ? John Hawkinson (Nov 24)
- Re: why not peer with LS disabling networks ? Neil J. McRae (Nov 25)
- Re: Land and Cisco question Dean Anderson (Nov 24)
- Re: Land and Cisco question Greg A. Woods (Nov 24)
- Re: Land and Cisco question Joe Shaw (Nov 24)