tech-security: Re: Odd ipf behaviour?

Subject: Re: Odd ipf behaviour?
To: Manuel Bouyer <bouyer@antioche.lip6.fr>
From: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
List: tech-security
Date: 09/20/1999 09:46:07

  by redmail.netbsd.org with SMTP; 20 Sep 1999 13:46:17 -0000
	by acheron.middleboro.ma.us (8.9.3/8.9.3) id JAA08783;
	Mon, 20 Sep 1999 09:46:07 -0400 (EDT)
Date: Mon, 20 Sep 1999 09:46:07 -0400
From: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
To: Manuel Bouyer <bouyer@antioche.lip6.fr>
Cc: tech-security@netbsd.org
Subject: Re: Odd ipf behaviour?
Message-ID: <19990920094607.U485@acheron.middleboro.ma.us>
References: <19990919221430.L485@acheron.middleboro.ma.us> <19990920113942.A4576@antioche.lip6.fr> <19990920092544.R485@acheron.middleboro.ma.us> <19990920153611.A13646@antioche.lip6.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <19990920153611.A13646@antioche.lip6.fr>

On Mon, Sep 20, 1999 at 03:36:11PM +0200, Manuel Bouyer wrote:

> No, if it's on the same subnet (i.e. it can reach your router without
> going through other router, for example it's on the same ethernet) it can
> add an entry in his routing table for 10.0.0.0/24 pointing to your router.

Hm. Right, it would be happening on the link layer, so the sending machine
would be addressing my MAC address.

So, this could have happened if the source machine was doing this *and* was
spoofing its address to say that it wasn't local. I wish I could have looked
at the packets themselves... Does the source routing option allow for the
use of MAC addresses or something? There weren't really enough packets for
this to be a DOS attempt, and I don't see the point if the packets weren't
going to be routed somewhere useful from the attacker's perspective, unless
of course both a local machine *and* the remote machine were working in
concert. That'd be pretty tricky.

> Do you have routed or gated running on your machine ?

Nope. Static routes only.

> It could announce a route to 10.0.0.0, which could be accepted by other
> routers and propagated.

Heh! I think I'd be seeing a lot more traffic than I am, if I was sucking down
all the stray 10.x.x.x traffic in the region. <grin>

-- 
    Mason Loring Bliss  mason@acheron.middleboro.ma.us  They also surf who
awake ? sleep : dream;  http://acheron.ne.mediaone.net  only stand on waves.