Re: 127.0.0.0/8 addresses from the network
In message <[🔎] 20010310155844.A28017@westend.com>, Christian Hammers writes:
>Hello
>
>> >"is debian protected beforeconnecting from remote hosts to address
>> >127.0.0.0/8 ?"
>
>On Sat, Mar 10, 2001 at 08:52:08AM -0600, Ted Cabeen wrote:
>> Ummm, the kernel and every router and swtich on the market will drop
>> 127.0.0.0/8 packets when they see them, unless they're on the lo interface.
>No. On many routers you have to specify *explicit* spoofing filters.
>AFAIK even on CISCO routers.
Really? That's interesting. Does it ship with sensible defaults at the
least?
>> * Check for bad requests for 127.x.x.x and requests for multicast
>> * addresses. If this is one such, delete it.
>This seems irrelevant to me. As the attacker has per definition on the same
>network (else 127/8 IP would have to get routed) he could make an ARP request
>for the MAC on the victim's real IP and then send spoofed packets with the
>127/8 as target IP and the just fetched MAC address for layer#2 transport.
>
>This would exploit the discussed "hole" without needing ARP requests at all.
True enough. Time to go back in the kernel...
Here it is. From route.c:1134
if (MULTICAST(saddr) || BADCLASS(saddr) || LOOPBACK(saddr))
goto martian_source;
if (daddr == 0xFFFFFFFF || (saddr == 0 && daddr == 0))
goto brd_input;
/* Accept zero addresses only to limited broadcast;
* I even do not know to fix it or not. Waiting for complains :-)
*/
if (ZERONET(saddr))
goto martian_source;
if (BADCLASS(daddr) || ZERONET(daddr) || LOOPBACK(daddr))
goto martian_destination;
This is part of the routing check for incoming packets. It should take
care of the problem being discussed. :)
(I haven't tested this section of the code, but it should prevent that kind
of attack, I think)
--
Ted Cabeen http://www.pobox.com/~secabeen secabeen@pobox.com
Check Website or Keyserver for PGP/GPG Key BA0349D2 secabeen@uchicago.edu
"I have taken all knowledge to be my province." -F. Bacon secabeen@cabeen.org
"Human kind cannot bear very much reality."-T.S.Eliot cabeen@netcom.com
Reply to: