ICMP Attacks???????

Greg A. Woods woods at most.weird.com
Sat Aug 23 01:11:35 UTC 1997


[ On Fri, August 22, 1997 at 12:39:52 (-0500), Jon Green wrote: ]
> Subject: Re: ICMP Attacks??????? 
>
> That being said, we *could* have a configuration option that makes
> a router check its routing table to make sure a packet coming in an
> interface has a route back out that same interface.  This should
> not be a default option, though, since there are often two paths
> to a destination and the routing table may not match where the packet
> came from.  That's not the best English, but you get it..

I was thinking more of the case of local networks (i.e. from the
ethernet interfaces), esp. since for small LAN segments the "edge"
router would probably have a default route out a WAN interface, even in
a corporate network and as such the anti-spoofing rules are (at least in
my mind) rather trivial to figure out and implement.

Darren Reed's ip-filter package even comes with a little perl script
that attempts to write anti-spoof rules given a list of interfaces and
their networks.  It didn't work perfectly in all the situations I've
tried it, but it seemed as if it should be fixable.  The output of that
script, including rules to block the RFC-1918 private nets as
appropriate, for a 5-ethernet box is about 80 lines of ip-filter rules.
Having a single configuration switch that turned these all on
automaticaly would certainly help out a lot of the network admins I know
who don't have the luxury of using ip-filter on their routers.  ;-)

That reminds me -- does anyone know of any semi-professional (but
freeware) tools that might be used to actually test anti-spoof rules by
injecting spoofed packets?  Does/can SATAN do this test?  I'd like to
find some code I'd have a chance of trusting more than the average
cracker tool -- i.e. something designed for testing, not abuse. 

-- 
							Greg A. Woods

+1 416 443-1734      VE3TCP      <gwoods at acm.org>      <robohack!woods>
Planix, Inc. <woods at planix.com>; Secrets of the Weird <woods at weird.com>



More information about the NANOG mailing list