[ On Mon, November 24, 1997 at 19:38:49 (-0500), Dean Anderson wrote: ]
Subject: Re: Land and Cisco question
At 4:54 AM -0500 11/23/97, Alan Barrett wrote:
Randy Bush said:
for each interface on a router block tcp which is both to and from that interface
I don't think that's sufficient. What about spoofed packets arriving via interface A, with IP source and destination both set to the address of interface B?
In this case the packets must eventually be transmitted via interface B and Interface B transmit rules should take care of that.
There is already a modified version of the "land" attack that may make protection of vulnerable gear by it's own interface filters a bit tricky. It involves sending multiple spoofed SYN attacks in quick succession to more than one interface on the device and in such a configuration that there are pairs which point at each other. Supposedly this variant of the attack has been successful (or at least analysis showed it would be successful) against some versions of 4.4BSD TCP/IP. Indeed it still should be possible to write correct filters for all interfaces to protect against this variant of the attack, but without algorithmic help in defining them the problem may become too complex for the average human to solve without error. I think the "mkfilters" perl script included with ipfilter does a fairly decent job of writing such rules, though the one time I've had occasion to use it on a small core router with a mere six interfaces I still had so spend some time fixing its output up because it didn't handle subnet netmasks very well. -- Greg A. Woods +1 416 443-1734 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>