[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: 127.0.0.0/8 addresses from the network

Hello

> >"is debian protected beforeconnecting from remote hosts to address
> >127.0.0.0/8 ?"

On Sat, Mar 10, 2001 at 08:52:08AM -0600, Ted Cabeen wrote:
> Ummm, the kernel and every router and swtich on the market will drop
> 127.0.0.0/8 packets when they see them, unless they're on the lo interface.
No. On many routers you have to specify *explicit* spoofing filters.
AFAIK even on CISCO routers.

>  *      Check for bad requests for 127.x.x.x and requests for multicast
>  *      addresses.  If this is one such, delete it.
This seems irrelevant to me. As the attacker has per definition on the same
network (else 127/8 IP would have to get routed) he could make an ARP request
for the MAC on the victim's real IP and then send spoofed packets with the
127/8 as target IP and the just fetched MAC address for layer#2 transport.

This would exploit the discussed "hole" without needing ARP requests at all.

bye,

 -chrisitan-  

-- 
Christian Hammers    WESTEND GmbH - Aachen und Dueren     Tel 0241/701333-0
ch@westend.com     Internet & Security for Professionals    Fax 0241/911879
           WESTEND ist CISCO Systems Partner - Premium Certified
Reply to: