Land and Cisco question

Greg A. Woods woods at
Tue Nov 25 01:49:25 UTC 1997

[ On Mon, November 24, 1997 at 19:38:49 (-0500), Dean Anderson wrote: ]
> Subject: Re: Land and Cisco question
> At 4:54 AM -0500 11/23/97, Alan Barrett wrote:
> >Randy Bush said:
> >> for each interface on a router
> >>   block tcp which is both to and from that interface
> >
> >I don't think that's sufficient.  What about spoofed packets arriving via
> >interface A, with IP source and destination both set to the address of
> >interface B?
> In this case the packets must eventually be transmitted via interface B and
> Interface B transmit rules should take care of that.

There is already a modified version of the "land" attack that may make
protection of vulnerable gear by it's own interface filters a bit tricky.

It involves sending multiple spoofed SYN attacks in quick succession to
more than one interface on the device and in such a configuration that
there are pairs which point at each other.  Supposedly this variant of
the attack has been successful (or at least analysis showed it would be
successful) against some versions of 4.4BSD TCP/IP.

Indeed it still should be possible to write correct filters for all
interfaces to protect against this variant of the attack, but without
algorithmic help in defining them the problem may become too complex for
the average human to solve without error.  I think the "mkfilters" perl
script included with ipfilter does a fairly decent job of writing such
rules, though the one time I've had occasion to use it on a small core
router with a mere six interfaces I still had so spend some time fixing
its output up because it didn't handle subnet netmasks very well.

							Greg A. Woods

+1 416 443-1734      VE3TCP      <gwoods at>      <robohack!woods>
Planix, Inc. <woods at>; Secrets of the Weird <woods at>

More information about the NANOG mailing list