On Tue, Oct 10, 2006 at 09:36:21AM -0400, matthew sporleder wrote:

> If you're not listening on a network, where's the attack?

You seem to believe that if you bind a socket to a specific address
then a packet needs to enter the network stack on exactly the
interface that has this address configured.

But that's not true.

The packet can be injected on every interface and the packet can
be encapsulated (IPIP-Tunnel or similar). The network stack will
simply deliver the payload (with an arbitrary destination IP address)
to whoever is listening.

The checkinterface option that was mentioned prevents some attacks,
but it is disabled by default, it doesn't work if you configure
ip forwarding and it is only implemented for IPv4.

Obviously this kind of attack only works unidirectionally as your
host cannot answer. But for things like "ping of death" or DNS
poisoning this is sufficient.

A packet filter on the outside interface can reject all this
unwanted traffic.

Greetings,
-- 
                                Michael van Elst
Internet: mlelstv@serpens.de
                                "A potential Snark may lurk in every tree."