[ On Fri, August 22, 1997 at 12:39:52 (-0500), Jon Green wrote: ]
Subject: Re: ICMP Attacks???????
That being said, we *could* have a configuration option that makes a router check its routing table to make sure a packet coming in an interface has a route back out that same interface. This should not be a default option, though, since there are often two paths to a destination and the routing table may not match where the packet came from. That's not the best English, but you get it..
I was thinking more of the case of local networks (i.e. from the ethernet interfaces), esp. since for small LAN segments the "edge" router would probably have a default route out a WAN interface, even in a corporate network and as such the anti-spoofing rules are (at least in my mind) rather trivial to figure out and implement. Darren Reed's ip-filter package even comes with a little perl script that attempts to write anti-spoof rules given a list of interfaces and their networks. It didn't work perfectly in all the situations I've tried it, but it seemed as if it should be fixable. The output of that script, including rules to block the RFC-1918 private nets as appropriate, for a 5-ethernet box is about 80 lines of ip-filter rules. Having a single configuration switch that turned these all on automaticaly would certainly help out a lot of the network admins I know who don't have the luxury of using ip-filter on their routers. ;-) That reminds me -- does anyone know of any semi-professional (but freeware) tools that might be used to actually test anti-spoof rules by injecting spoofed packets? Does/can SATAN do this test? I'd like to find some code I'd have a chance of trusting more than the average cracker tool -- i.e. something designed for testing, not abuse. -- Greg A. Woods +1 416 443-1734 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>