Re: 127.0.0.0/8 addresses from the network

To: Christian Hammers <ch@westend.com>
Cc: Jim Breton <jamesb-debian@alongtheway.com>, debian-security@lists.debian.org
Subject: Re: 127.0.0.0/8 addresses from the network
From: Ted Cabeen <secabeen@pobox.com>
Date: Sat, 10 Mar 2001 10:22:48 -0600
Message-id: <[🔎] 200103101622.KAA05661@entropy.uchicago.edu>
In-reply-to: Your message of "Sat, 10 Mar 2001 15:58:44 +0100." <[🔎] 20010310155844.A28017@westend.com>

In message <[🔎] 20010310155844.A28017@westend.com>, Christian Hammers writes:
>Hello
>
>> >"is debian protected beforeconnecting from remote hosts to address
>> >127.0.0.0/8 ?"
>
>On Sat, Mar 10, 2001 at 08:52:08AM -0600, Ted Cabeen wrote:
>> Ummm, the kernel and every router and swtich on the market will drop
>> 127.0.0.0/8 packets when they see them, unless they're on the lo interface.
>No. On many routers you have to specify *explicit* spoofing filters.
>AFAIK even on CISCO routers.

Really?  That's interesting.  Does it ship with sensible defaults at the
least?

>>  *      Check for bad requests for 127.x.x.x and requests for multicast
>>  *      addresses.  If this is one such, delete it.
>This seems irrelevant to me. As the attacker has per definition on the same
>network (else 127/8 IP would have to get routed) he could make an ARP request
>for the MAC on the victim's real IP and then send spoofed packets with the
>127/8 as target IP and the just fetched MAC address for layer#2 transport.
>
>This would exploit the discussed "hole" without needing ARP requests at all.

True enough.  Time to go back in the kernel...

Here it is.  From route.c:1134

	if (MULTICAST(saddr) || BADCLASS(saddr) || LOOPBACK(saddr))
                goto martian_source;

        if (daddr == 0xFFFFFFFF || (saddr == 0 && daddr == 0))
                goto brd_input;

        /* Accept zero addresses only to limited broadcast;
         * I even do not know to fix it or not. Waiting for complains :-)
         */
        if (ZERONET(saddr))
                goto martian_source;

        if (BADCLASS(daddr) || ZERONET(daddr) || LOOPBACK(daddr))
                goto martian_destination;

This is part of the routing check for incoming packets.  It should take
care of the problem being discussed.  :)

(I haven't tested this section of the code, but it should prevent that kind
of attack, I think)

--
Ted Cabeen           http://www.pobox.com/~secabeen         secabeen@pobox.com
Check Website or Keyserver for PGP/GPG Key BA0349D2      secabeen@uchicago.edu
"I have taken all knowledge to be my province." -F. Bacon  secabeen@cabeen.org
"Human kind cannot bear very much reality."-T.S.Eliot        cabeen@netcom.com

Reply to:

Follow-Ups:
- Re: 127.0.0.0/8 addresses from the network
  - From: Christian Hammers <ch@westend.com>
- Re: 127.0.0.0/8 addresses from the network
  - From: Jim Breton <jamesb-debian@alongtheway.com>

References:
- Re: 127.0.0.0/8 addresses from the network
  - From: Christian Hammers <ch@westend.com>

Prev by Date: Re: 127.0.0.0/8 addresses from the network
Next by Date: Re: 127.0.0.0/8 addresses from the network
Previous by thread: Re: 127.0.0.0/8 addresses from the network
Next by thread: Re: 127.0.0.0/8 addresses from the network
Index(es):
- Date
- Thread