[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: "Load" exploit and filtering...
From:       Michael Richardson <mcr () sandelman ! ottawa ! on ! ca>
Date:       1997-11-21 15:29:11
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----


  All good filter configurations should prevent packets with
src-spoofed IP addresses. I.e. given:
            /----\
	I---1 Fw 2---P
            \----/

  Packets arriving on interface #1, with a source address that 
belongs on the network #2 should be discarded. My favorite way to do
this:

	1. take src address. treat it as a destination address.
	2. look up in routing table.
	3. compare resulting interface with the interface that 
	packet arrived on. If not identical, then packet is src
	spoofed.

  With IPF, you have to do this in your head, and write rules.

]       ON HUMILITY: to err is human. To moo, bovine.           |  SSH IPsec  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |international[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |strong crypto[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

	
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBNHWowcmxxiPyUBAxAQHrIQMAi0hxEEZl9LAMXsUH2LCkXx+bGqju6PYE
2FU1j2xWJX5B11nOIRC+t7QI/pSb5E3i3PDFb0ugpMb/qpya30dMHMjSrBRVit82
hTn+66LMlAG3PfMEAkowFk0XOS50HA3H
=tXrE
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]