tech-security: Re: Odd ipf behaviour?

Subject: Re: Odd ipf behaviour?
To: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: tech-security
Date: 09/20/1999 16:23:44
  by redmail.netbsd.org with SMTP; 20 Sep 1999 14:23:48 -0000
	by antioche.lip6.fr (8.9.3/8.9.3) with ESMTP id QAA20839;
	Mon, 20 Sep 1999 16:23:45 +0200 (MEST)
Date: Mon, 20 Sep 1999 16:23:44 +0200
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
To: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
Cc: tech-security@netbsd.org
Subject: Re: Odd ipf behaviour?
Message-ID: <19990920162343.C369@antioche.lip6.fr>
References: <19990919221430.L485@acheron.middleboro.ma.us> <19990920113942.A4576@antioche.lip6.fr> <19990920092544.R485@acheron.middleboro.ma.us> <19990920153611.A13646@antioche.lip6.fr> <19990920094607.U485@acheron.middleboro.ma.us>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <19990920094607.U485@acheron.middleboro.ma.us>; from Mason Loring Bliss on Mon, Sep 20, 1999 at 09:46:07AM -0400

On Mon, Sep 20, 1999 at 09:46:07AM -0400, Mason Loring Bliss wrote:
> On Mon, Sep 20, 1999 at 03:36:11PM +0200, Manuel Bouyer wrote:
> 
> > No, if it's on the same subnet (i.e. it can reach your router without
> > going through other router, for example it's on the same ethernet) it can
> > add an entry in his routing table for 10.0.0.0/24 pointing to your router.
> 
> Hm. Right, it would be happening on the link layer, so the sending machine
> would be addressing my MAC address.
> 
> So, this could have happened if the source machine was doing this *and* was
> spoofing its address to say that it wasn't local. I wish I could have looked
> at the packets themselves... Does the source routing option allow for the
> use of MAC addresses or something?

It shouldn't, I think it only allows to specify a route in term of IP adresses.

> There weren't really enough packets for
> this to be a DOS attempt, and I don't see the point if the packets weren't
> going to be routed somewhere useful from the attacker's perspective, unless
> of course both a local machine *and* the remote machine were working in
> concert. That'd be pretty tricky.

And this was coming from port 80 ... Maybe it was an attack designed to
run with a java applet on your client or something like this ?

> 
> > Do you have routed or gated running on your machine ?
> 
> Nope. Static routes only.
> 
> > It could announce a route to 10.0.0.0, which could be accepted by other
> > routers and propagated.
> 
> Heh! I think I'd be seeing a lot more traffic than I am, if I was sucking down
> all the stray 10.x.x.x traffic in the region. <grin>

Well, properly configured routers shouldn't allow this traffic to go out
from the local net, there shouldn't be that much 10.x.x.x traffic on the
internet :)

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
--