Subject: Re: bin/2455: (security) Echo & friends can be spoofed into looping traffic
To: None <firstname.lastname@example.org, netbsd-bugs@NetBSD.ORG>
From: Laine Stump <laine@MorningStar.Com>
Date: 05/27/1996 23:51:34
On Wed, 22 May 1996 10:08:13 GMT, you wrote:
> Also the kernel should drop packets incoming on an interface for
> which they make no sense - eg: an interface '18.104.22.168' with
> netmask 0xffffff00 should only accept packets from '194.72.62.*'.
There is this concept called "routing", which specifically depends on
the ability of an interface to accept packets originating from a network
other than the network directly connected to the interface. The Internet
would not work without this!
What you're trying to prevent here is IP spoofing attacks, but your
method of doing so simply cuts off your machine from the rest of the
world. The way to prevent IP spoofing attacks is to discard packets
coming into an interface which have source addresses "known" to actually
be properly reachable via a different interface on the same machine (or
more correctly, *not* reachable via the interface the packet came in
on). Likewise, to prevent IP spoofing in the other direction, you need
to discard packets going out an interface which have source addresses
"known" to actually be properly reachable via that same interface. To do
either of these, you need more information than is present in an
interface's ifnet (you could probably get enough information out of the
routing table, though).