Very Computer

by **Luke Voge** » Sun, 11 Feb 2001 15:32:10

There was a message in this forum a short while ago that suggested that
it would be appropriate to ensure that you only accept packets that are
actually addressed to you.

And the author suggested a rule to accomodate same:
ipchains -A input -i ppp0 -d ! YourIpAddr/32 -j DENY -l

Whilst I understand the meaning, is it _ever_ possible that an interface
would ever receive packets that were not addressed to it?

By my thinking, an exploit that took advantage of this would have to do
some serious munging of the routers in between to get them through to
you.

comments please?
--
Regards
Luke
----
Those who cannot remember the past are condemned to repeat it.
George Santayana (1863 - 1952), The Life of Reason, Volume 1, 1905
----
http://www.bell-bird.com.au
PLEASE NOTE: Spamgard (tm) installed.

----

by **Manfred Bart** » Sun, 11 Feb 2001 17:51:01

> There was a message in this forum a short while ago that suggested that
> it would be appropriate to ensure that you only accept packets that are
> actually addressed to you.

> And the author suggested a rule to accomodate same:
> ipchains -A input -i ppp0 -d ! YourIpAddr/32 -j DENY -l

> Whilst I understand the meaning, is it _ever_ possible that an interface
> would ever receive packets that were not addressed to it?

What goes into your box depends not so much on *your* interface but
on what your ISP allows to go to it. With some ISPs it is apparently
quite common to have traffic destined for other customers appear on
your interface. In my case, I see lots of traffic in the 10.0.0.0/8
range which my ISP uses to control their routers (but it seems to be
encrypted). If I had used the 10.0.0.0/8 range myself, conficts might
have arisen.

In any case, your interface at the very least already receives
broadcast and multicast in addition to packets directly addressed
to its IP address.

--
Manfred
---------------------------------------------------------------
ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

by **Luke Voge** » Sun, 11 Feb 2001 19:04:18

> What goes into your box depends not so much on *your* interface but
> on what your ISP allows to go to it.

Yep, I figured that would probably be the case, but I couldn't see
telstra routing packets for, say, the 195.xxx.xxx.xxx address space to
my box.

Quote:> With some ISPs it is apparently
> quite common to have traffic destined for other customers appear on
> your interface. In my case, I see lots of traffic in the 10.0.0.0/8
> range which my ISP uses to control their routers (but it seems to be
> encrypted). If I had used the 10.0.0.0/8 range myself, conficts might
> have arisen.

Your on cable aren't you? I actually got a number of icmp packets from
a 10.0.0.0/8 address whilst I was on the net earlier. I actually used
your LogAnalyzer to query the results. :)

Quote:> In any case, your interface at the very least already receives
> broadcast and multicast in addition to packets directly addressed
> to its IP address.

Quite possibly, but if I do, they are very rare.

I think I'll drop that rule into the beginning of my rules and see what
happens.

Thanks for your input.

--
Regards
Luke
----
Those who cannot remember the past are condemned to repeat it.
George Santayana (1863 - 1952), The Life of Reason, Volume 1, 1905
----
http://www.bell-bird.com.au
PLEASE NOTE: Spamgard (tm) installed.

----

by **Tim Hayne** » Sun, 11 Feb 2001 20:48:48

[snip]

Quote:> Whilst I understand the meaning, is it _ever_ possible that an interface
> would ever receive packets that were not addressed to it?

Hostname-on-loopback. Kernel 2.2 (and probably 2.4) have this tendency to
say "oh, I'm only talking to my hostname's address, I'll stick it on lo".
Can't say I like it, but it does necessitate
ipchains -I input -s localhost -d `hostname` -j ACCEPT -b
^^nice, that

But you've probably heard me say that before ;)

~Tim
--

(seen during a recent, >y2000, installation) |http://spodzone.org.uk/

by **Tarek Yousse** » Mon, 12 Feb 2001 07:24:22

If have a small question , can broadcasts , and multicasts reach a computer
on dialup connection ??
all i know , that by somehow the control protocol for the dilaup
connictiion can't handle broadcats , is that pieace of information right
??!!

TIA,
T. Youssef

> > What goes into your box depends not so much on *your* interface but
> > on what your ISP allows to go to it.

> Yep, I figured that would probably be the case, but I couldn't see
> telstra routing packets for, say, the 195.xxx.xxx.xxx address space to
> my box.

> > With some ISPs it is apparently
> > quite common to have traffic destined for other customers appear on
> > your interface. In my case, I see lots of traffic in the 10.0.0.0/8
> > range which my ISP uses to control their routers (but it seems to be
> > encrypted). If I had used the 10.0.0.0/8 range myself, conficts might
> > have arisen.

> Your on cable aren't you? I actually got a number of icmp packets from
> a 10.0.0.0/8 address whilst I was on the net earlier. I actually used
> your LogAnalyzer to query the results. :)

> > In any case, your interface at the very least already receives
> > broadcast and multicast in addition to packets directly addressed
> > to its IP address.

> Quite possibly, but if I do, they are very rare.

> I think I'll drop that rule into the beginning of my rules and see what
> happens.

> Thanks for your input.

> --
> Regards
> Luke
> ----
> Those who cannot remember the past are condemned to repeat it.
> George Santayana (1863 - 1952), The Life of Reason, Volume 1, 1905
> ----
> http://www.bell-bird.com.au
> PLEASE NOTE: Spamgard (tm) installed.

> ----

by **Non** » Mon, 12 Feb 2001 15:49:30

> There was a message in this forum a short while ago that suggested that
> it would be appropriate to ensure that you only accept packets that are
> actually addressed to you.

> And the author suggested a rule to accomodate same:
> ipchains -A input -i ppp0 -d ! YourIpAddr/32 -j DENY -l

> Whilst I understand the meaning, is it _ever_ possible that an interface
> would ever receive packets that were not addressed to it?

Depending on the network type etc you would recieve broadcast packets and
if on ethernet then all sorts of *flows around even when switched. I
have monitored our internet connection at work and you see all sorts of
stuff. On my dialup I don't think I have ever seen my spoof myself rule
triggered, I assume the network is properly set up.

by **Manfred Bart** » Mon, 12 Feb 2001 15:52:48

> If have a small question , can broadcasts , and multicasts reach a
> computer on dialup connection ??
> all i know , that by somehow the control protocol for the dilaup
> connictiion can't handle broadcats , is that pieace of information
> right ??!!

Hmm, you are probably right that dialup connections would not
receive broadcasts. PPP or SLIP only supports one host on each
end so broadcast would not make much sense.

But AFAIK, there is no reason why multicast cannot be transmitted
over PPP if the ISP provides that kind of service. An analog
modem connection wouldn't have sufficient bandwidth for that to
make a lot of sense though, but with PPPoE (PPP over Ethernet)
it becomes quite possible.

I have had a cable modem for over a year now, and some pretty weird
packets have been logged by my firewall in that time. So, in this
environment it does make sense to have rules which keep out unwanted
traffic.

Cheers
--
Manfred
---------------------------------------------------------------
ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

by **j..** » Tue, 13 Feb 2001 03:36:34

Of course it will reach as long as there is a dialup connection that supports
tcp/ip.
http://www.telecoms-mag.com/issues/199904/tcs/miller.html
This paper might help some; or atleast shed some bit oflight...

> If have a small question , can broadcasts , and multicasts reach a computer
> on dialup connection ??
> all i know , that by somehow the control protocol for the dilaup
> connictiion can't handle broadcats , is that pieace of information right
> ??!!

> TIA,
> T. Youssef

> > > What goes into your box depends not so much on *your* interface but
> > > on what your ISP allows to go to it.

> > Yep, I figured that would probably be the case, but I couldn't see
> > telstra routing packets for, say, the 195.xxx.xxx.xxx address space to
> > my box.

> > > With some ISPs it is apparently
> > > quite common to have traffic destined for other customers appear on
> > > your interface. In my case, I see lots of traffic in the 10.0.0.0/8
> > > range which my ISP uses to control their routers (but it seems to be
> > > encrypted). If I had used the 10.0.0.0/8 range myself, conficts might
> > > have arisen.

> > Your on cable aren't you? I actually got a number of icmp packets from
> > a 10.0.0.0/8 address whilst I was on the net earlier. I actually used
> > your LogAnalyzer to query the results. :)

> > > In any case, your interface at the very least already receives
> > > broadcast and multicast in addition to packets directly addressed
> > > to its IP address.

> > Quite possibly, but if I do, they are very rare.

> > I think I'll drop that rule into the beginning of my rules and see what
> > happens.

> > Thanks for your input.

> > --
> > Regards
> > Luke
> > ----
> > Those who cannot remember the past are condemned to repeat it.
> > George Santayana (1863 - 1952), The Life of Reason, Volume 1, 1905
> > ----
> > http://www.bell-bird.com.au
> > PLEASE NOTE: Spamgard (tm) installed.

> > ----

Very Computer

Destination addressing ...

Destination addressing ...

Destination addressing ...

Destination addressing ...

Destination addressing ...

Destination addressing ...

Destination addressing ...

Destination addressing ...

Destination addressing ...