Re: 127.0.0.0/8 addresses from the network
Hello
> >"is debian protected beforeconnecting from remote hosts to address
> >127.0.0.0/8 ?"
On Sat, Mar 10, 2001 at 08:52:08AM -0600, Ted Cabeen wrote:
> Ummm, the kernel and every router and swtich on the market will drop
> 127.0.0.0/8 packets when they see them, unless they're on the lo interface.
No. On many routers you have to specify *explicit* spoofing filters.
AFAIK even on CISCO routers.
> * Check for bad requests for 127.x.x.x and requests for multicast
> * addresses. If this is one such, delete it.
This seems irrelevant to me. As the attacker has per definition on the same
network (else 127/8 IP would have to get routed) he could make an ARP request
for the MAC on the victim's real IP and then send spoofed packets with the
127/8 as target IP and the just fetched MAC address for layer#2 transport.
This would exploit the discussed "hole" without needing ARP requests at all.
bye,
-chrisitan-
--
Christian Hammers WESTEND GmbH - Aachen und Dueren Tel 0241/701333-0
ch@westend.com Internet & Security for Professionals Fax 0241/911879
WESTEND ist CISCO Systems Partner - Premium Certified
Reply to: