Firewalls: Re: binding to specific interfaces

Firewalls
(July 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: binding to specific interfaces
From:	Zachary Roger Amsden <amsden+ @ andrew . cmu . edu>
Date:	Wed, 31 Jul 1996 20:49:01 -0400 (EDT)
To:	lists @ lina . inka . de, gunni @ if . is
Cc:	gaarder @ actech . com, firewalls @ greatcircle . com
In-reply-to:	<199607311009 . KAA15400 @ linda . if . is>
References:	<199607311009 . KAA15400 @ linda . if . is>

Excerpts from mail: 31-Jul-96 Re: How secure is xinetd's .. by gunni @
 if .
 is 
> Lets say that we've two interfaces,    130.x.x.x   and   192.x.x.x on a 
> linux firewall, someone sends packet addressed to interface 192 and the 
> machines accepts it then it should reply on network 192 not 130? Am I 
> right? If so, isn't that correct the the "tester/attacker" can't get 
> access to any services running on Interface 192? Only Denial of service 
> attack comes to my mind.

First, I would like to apologize for posting incorrect information here
the other day.  I mistakenly concluded that Linux was not vulnerable
because of my ping tests.

While it is true the attacker can't "access" services, they can send
incoming data to any listening services.  The responses will not go back
to the attacker, but it is still possible to attack protocols that do
not require the server to send back responses (I can't think of any
offhand, but I'm sure there are some), and to attack protocols that
return predictable responses.  

My guess is that TCP services are not attackable via this mechanism,
because the initial TCP three-way handshake will fail.  It might be
possible to get around this by IP spoofing as a IP address of a real
machine inside the internal network, but only if the attack is timed
properly and the TCP sequence numbers are guessable.  This would be a
highly improbable attack.  If this attack was combined with an ICMP
redirect type attack, it could probably be sucessful.  This is a good
reason to block ICMP redirects.

ICMP, UDP and other protocols would still be vulnerable to spoofing via
this type of attack.  Because of this, I will probably be writing a
patch to the net code for Linux.  Supposedly, it is not too difficult to
make this patch on BSD based TCP/IP implementations (if anyone wants to
beat me too it, the code is in ip_input.c)  If you want additional
protection, you can hack icmp.c to block out all ICMP redirects (VERY
easy to do).

If you run a Linux system, look for a patch in about a week, along with
some other security related patches:
  kernel ICMP redirect blocking
  kernel ICMP echo blocking (to prevent ping bombing)
  TIS FWTK interface detection patch to prevent spoofing
  patch to TIS FWTK smap daemon to perform ident lookup on e-mail
  patch to CERN W3C httpd daemon to fix minor umask problem

* \   The mad patcher
0 /    with a bad case of tonsilitis

Zach Amsden
amsden @
 andrew .
 cmu .
 edu

References:

Re: How secure is xinetd's binding to specific interfaces
From: gunni @ if . is (Gunnar Ingvi Thorisson)

Indexed By Date	Previous:	Re: Routing Table keeps dropping From: lists @ lina . inka . de (Bernd Eckenfels)
Indexed By Date	Next:	Is any O.S. w/IP enabled C2 certified? From: Bill Stout <bill . stout @ hidata . com>
Indexed By Thread	Previous:	Re: How secure is xinetd's binding to specific interfaces From: lists @ lina . inka . de (Bernd Eckenfels)
Indexed By Thread	Next:	Re: How secure is xinetd's binding to specific interfaces From: "Sean Fuller" <c60201 @ zone . arnold . af . mil>