Re: 127.0.0.0/8 addresses from the network
In message <[🔎] 20010310042130.4530.qmail@alongtheway.com>, Jim Breton writes:
>On Fri, Mar 09, 2001 at 10:09:13PM -0600, Ted Cabeen wrote:
>> Actually we trap illegal packets like this one in I15lospoof.def.
>>
>> :#: Deny and log all packets trying to come in from a 127.0.0.0/8 address
>> :#: over a non-'lo' interface
>
>Double-check that against the original question:
>
>"is debian protected beforeconnecting from remote hosts to address
>127.0.0.0/8 ?"
>
>Notice he said "_to_ 127.0.0.0/8" and not "_from_" which is what
>I15lospoof.def blocks.
>
>I made the same mistake in my first post, then re-read his question.
Ummm, the kernel and every router and swtich on the market will drop
127.0.0.0/8 packets when they see them, unless they're on the lo interface.
They're invalid packets. Similarly with 10.0.0.0/24, 192.168.0.0/16 and
that other one in 160 something.
There's no way to route such a packet to your machine, unless you're on
some sort of point-to-point link that the attacker can just throw packets
down. That may be a risk there, but I doubt it.
Here's the relevant section from the kernel source (arp.c:656):
/*
* Check for bad requests for 127.x.x.x and requests for multicast
* addresses. If this is one such, delete it.
*/
if (LOOPBACK(tip) || MULTICAST(tip))
goto out;
If the kernel recieves an arp request for a 127.x.x.x address it never
responds, so the connecting machine never gets a HW address to connect to.
--
Ted Cabeen http://www.pobox.com/~secabeen secabeen@pobox.com
Check Website or Keyserver for PGP/GPG Key BA0349D2 secabeen@uchicago.edu
"I have taken all knowledge to be my province." -F. Bacon secabeen@cabeen.org
"Human kind cannot bear very much reality."-T.S.Eliot cabeen@netcom.com
Reply to: