RE: Desperate for good firewall: ARP and DNS attacks

To: <debian-firewall@lists.debian.org>
Subject: RE: Desperate for good firewall: ARP and DNS attacks
From: "DUFRESNE, Mathias \(KPF\)" <MATTHIAS.DUFRESNE@airbus.com>
Date: Wed, 3 Mar 2010 12:10:45 +0100
Message-id: <[🔎] 17963_1267614650_4B8E43BA_17963_16_1_A54570CA491AF843B18DD8BC6169BFC00E5A3035@fr0-mailmb11.res.airbus.corp>
References: <[🔎] 40a027ee1003011735y770e6c8fo1c26158f2a15ce63@mail.gmail.com> <[🔎] 20100302143513.GA15309@lia.ch> <4617_1267592942_4B8DEEEB_4617_377_3_40a027ee1003022107p45cb1fa2v498c7742e50c0ded@mail.gmail.com>

Hello,

>From my point you should first disable everything which is not needed. If you don't use Wifi, just stop it.

What kind of router are you using? A Linux distribution on some PC or dedicated hardware (as modem/router sold by DLink or some other vendors)?
If you router is a GNU/Linux distribution it is possible to build a strong enough firewall with it using iptables (and ip6tables if you also have ipv6 activated through Internet).

Regarding your possibly attacked systems as it was already explained the best you could do is to re-install them from scratch.

Kindly regards,

mathias

-----Message d'origine-----
De : Linux User [mailto:linux.user.au@gmail.com] 
Envoyé : mercredi 3 mars 2010 06:08
À : debian-firewall@lists.debian.org; Linux User
Objet : Re: Desperate for good firewall: ARP and DNS attacks

On Wed, Mar 3, 2010 at 12:35 AM, Stephan Balmer <sb@lia.ch> wrote:

> What sort of Internet connection do you use? What hosts are connected?
> Wifi present?

I have an ADSL PPoE connection, although normally it's PPoA. Doesn't
matter with my ISP. What do you mean by hosts connected? On my LAN? If
that's what you mean, only one at the moment. Wifi present but not in
use. I did use Wifi a while back and that seemed to be the beginning
along with other issues. On my father's laptop I was astonished to see
that he had 27 tunnelling adapters by looking at ipconfig. Lots of
weird stuff went on there, and others who knew about this particular
Wifi modem I had at the time told me it was junk and to throw it away.

> What operating system are you using?

Lenny 5.0.4 with updates.

> How do you detect malware on your system?

By using rootkit tools, and by simple inspection and observing the
behaviour of my system. For example, on my iMac, the malware resides
on a partition I can't get rid of. Apple tech support said there
should only be one partition for my system and I could use the disk
tool to zero it out, but the malware partition won't let itself get
wiped and it tries to take over the install (and does, I've tried many
times.) I'm going to have to send my iMac to the service centre and
ask them to send me back the bad disk and put in a new one for me.
Lots of ways I detect it. Plus the kernel is not supposed to resume
from a swap partition at boot time, is it? Seems odd to me. Also I
found though looking at my traffic use uploads of data that did not
come from me or my father.

> What do you mean by 'on multicast'? From where did you boot whom off how?

I saw a lot of stuff about traffic going to a multicast address, and a
professor took a look at it, and it was a multicast address traffic
was going to. Also something like "snmp-trap" and IGMP stuff. To be
honest I only have a small knowledge of networking. Enough to get up
and going and create a very simple firewall.

> Your router got taken over? Did you replace it? What/who is 'it'?

Yes, I replaced several modem/routers. I don't know what/who is "it"
otherwise I'd be gunning for who/it and making it stop. I have some
suspicions and I'm investigating those. I've got lots of good packet
captures and weird partitions not supposed to be partitioned which I
ripped out with the dd command.

> Just a warning: I'm no expert.

That's okay, thank you for taking the time to respond. I appreciate it.

> As long as these reside on ramdisks, the security issues are slight.
> Attackers would have to exploit vulnerabilities in the install system over
> the network. This is unlikely.

Thanks for that information. So I can look elsewhere instead of being
overly worried about it and focus on what's more likely.

> You can download official Debian images from http://www.debian.org. An
> attacker would have to go to great lengths to provide malicious ones.
> So unless you have something of great value (or have annoyed somebody
> a great deal) it is exteremely unlikely anybody would do this. You can also
> download Debian testing images, those are generated daily and even harder to
> fake.
>
> If you want to be extra sure, take the SHA1 hash of an image and compare
> out-of-band with a trusted person. You would
>
> 1. Download an image from debian.org
> 2. take its SHA1 hash
> 3. Phone a trusted person to do the same
> 4. compare SHA1 hashes
>
> If they are different, first verify you both downloaded the same image.
> If the images really are different, publish both somewhere for people to
> have a look at them.

Thanks very much for that. I will do that and see what happens.

> Also in this case you should consider contacting your
> friendly law enforcement agency, it is likely that there is a law against
> this, though I don't know where you live.

Oh I will be doing that, but I would like to try and gather something
that can stand up in a court of law. Otherwise I'm not sure anything
could be done.

As for the laws, I assumed there was, and I contacted the free legal
advice line and got some help there. There are several ways I can get
this done legally that I'm aware of at the moment. But I do need
something that can likely result in conviction(s) and/or a Supreme
Court writ for damages. Standards of proof are different obviously for
those roads.

Thanks very much for taking the time to reply.

-- 
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] 40a027ee1003022107p45cb1fa2v498c7742e50c0ded@mail.gmail.com">http://lists.debian.org/[🔎] 40a027ee1003022107p45cb1fa2v498c7742e50c0ded@mail.gmail.com

This mail has originated outside your organization, either from an external partner or the Global Internet.
Keep this in mind if you answer this message.

The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.

Reply to:

Follow-Ups:
- Re: Desperate for good firewall: ARP and DNS attacks
  - From: Linux User <linux.user.au@gmail.com>

References:
- Desperate for good firewall: ARP and DNS attacks
  - From: Linux User <linux.user.au@gmail.com>
- Re: Desperate for good firewall: ARP and DNS attacks
  - From: Stephan Balmer <sb@lia.ch>

Prev by Date: Re: Desperate for good firewall: ARP and DNS attacks
Next by Date: different firewall rules for different users
Previous by thread: Re: Desperate for good firewall: ARP and DNS attacks
Next by thread: Re: Desperate for good firewall: ARP and DNS attacks
Index(es):
- Date
- Thread