Well, I wasn't quite thinking here. The original post had said
something about making a router check to see if a packet came from
a locally configured interface, which I said would not be a good
idea. Obviously, though, for non-local networks the router would have
a route table entry to get back to it, even if it jumps through
three other routers.
That being said, we *could* have a configuration option that makes
a router check its routing table to make sure a packet coming in an
interface has a route back out that same interface. This should
not be a default option, though, since there are often two paths
to a destination and the routing table may not match where the packet
came from. That's not the best English, but you get it..
What would doubling the number of route table lookups do from a
performance standpoint? Since I would envision this as an edge-router
type thing, I would assume the impact would not be that great.
[ On Fri, August 22, 1997 at 12:39:52 (-0500), Jon Green wrote: ]
Subject: Re: ICMP Attacks???
That being said, we *could* have a configuration option that makes
a router check its routing table to make sure a packet coming in an
interface has a route back out that same interface. This should
not be a default option, though, since there are often two paths
to a destination and the routing table may not match where the packet
came from. That's not the best English, but you get it..
I was thinking more of the case of local networks (i.e. from the
ethernet interfaces), esp. since for small LAN segments the "edge"
router would probably have a default route out a WAN interface, even in
a corporate network and as such the anti-spoofing rules are (at least in
my mind) rather trivial to figure out and implement.
Darren Reed's ip-filter package even comes with a little perl script
that attempts to write anti-spoof rules given a list of interfaces and
their networks. It didn't work perfectly in all the situations I've
tried it, but it seemed as if it should be fixable. The output of that
script, including rules to block the RFC-1918 private nets as
appropriate, for a 5-ethernet box is about 80 lines of ip-filter rules.
Having a single configuration switch that turned these all on
automaticaly would certainly help out a lot of the network admins I know
who don't have the luxury of using ip-filter on their routers.
That reminds me -- does anyone know of any semi-professional (but
freeware) tools that might be used to actually test anti-spoof rules by
injecting spoofed packets? Does/can SATAN do this test? I'd like to
find some code I'd have a chance of trusting more than the average
cracker tool -- i.e. something designed for testing, not abuse.
