On 10/10/06, Michael van Elst <mlelstv@serpens.de> wrote:
> On Tue, Oct 10, 2006 at 09:36:21AM -0400, matthew sporleder wrote:
>
> > If you're not listening on a network, where's the attack?
>
> You seem to believe that if you bind a socket to a specific address
> then a packet needs to enter the network stack on exactly the
> interface that has this address configured.
>
> But that's not true.
>
> The packet can be injected on every interface and the packet can
> be encapsulated (IPIP-Tunnel or similar). The network stack will
> simply deliver the payload (with an arbitrary destination IP address)
> to whoever is listening.
>
> The checkinterface option that was mentioned prevents some attacks,
> but it is disabled by default, it doesn't work if you configure
> ip forwarding and it is only implemented for IPv4.
>
> Obviously this kind of attack only works unidirectionally as your
> host cannot answer. But for things like "ping of death" or DNS
> poisoning this is sufficient.
>
> A packet filter on the outside interface can reject all this
> unwanted traffic.
>

Okay.. I will certainly yield that running an exploitable service on
the public network would allow some access to the private network.  I
guess that I was writing from the assumption that you wouldn't be
doing that sort of thing.