Re: 127.0.0.0/8 addresses from the network

[Jim Breton <jamesb-debian@alongtheway.com>]

On Sat, Mar 10, 2001 at 10:22:48AM -0600, Ted Cabeen wrote:
>         if (BADCLASS(daddr) || ZERONET(daddr) || LOOPBACK(daddr))
>                 goto martian_destination;
> 
> This is part of the routing check for incoming packets.  It should take
> care of the problem being discussed.  :)
> 
> (I haven't tested this section of the code, but it should prevent that kind
> of attack, I think)

It should yes, however see the recent thread on Bugtraq about this
issue.

Also since log_martians is not enabled by default (unless your distro
does so, and afaict potato at least does not) you will never hear a word
about these packets.  Logging them would be nice.  Even with
log_martians enabled, it doesn't tell you anything about the packet
other than src, dst, and iface.  Further, I'm not sure the martian code
would stop a packet from landing on an "internal" interface other than
loopback (again see the Bugtraq discussion) which is why we should (and
do) filter the destination addresses of incoming packets as well as the
source addresses.

Thanks.