On Thu, 20 Nov 1997, Robert Watson wrote: > Adding a rule for the interface denying packets from oneself appears to > defend against the new attack. > > This rule worked: > 03001 deny ip from 128.2.91.57 to 128.2.91.57 via ed0 > Where 128.2.91.57 is the host's IP address on device ed0. > > Adding this to rc.firewall on FreeBSD is also a good idea. Multi-homed > hosts require one entry per device, needless to say. With terminal servers which have IP addresses which move from interface to interface, the following rules are more generic: ---------------------------------------------- #!/bin/sh /sbin/ipfw add 1 allow ip from any to any via lo0 for ip in 127.0.0.1 192.2.3.4 192.2.3.6 192.7.8.9 do /sbin/ipfw add 2 deny log ip from $ip to any in done ----------------------------------------------- The above will prevent all self-spoofing attacks. The posted (and merged) fix in tcp_input.c will not prevent attacks where packets are formed to go from one interface to another on a multi-homed machine. I have not verified that the multi-homed attack works, but my guess is that it would. Sigh. I had made a start on reducing vulnerability to this sort of thing in rc.firewall, but I had only got as far as 127.0.0.0/8 and had to get back to money-earning work. Looks like I should finish the job. Danny
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:32:20 PDT