Can IP / MAC spoofing be blocked ?
Thu, 19 Jul 2001 10:32:54 +0200
I took into account the possibility of a sniffer, which is something that
needs to be done on a LAN,
I have no experience in sniffing MAC addresses of regged IP's (interfaces),
but it shouldn't be too hard.
As for dial-in accounts, the sniffing becomes much harder ... you'd
probably have to spoof yourself as the VPN server (endpoint, point of
which implies DNS spoofing ... and than wait for the VPN client to try and
initiate a connection and steal the MAC address.
There has got to be a way this can be controlled ... how about other
firewalling tools (non Linux for example), I only have experience with
"WinRoute Pro" on non Unix platforms ...
As for "physical security", all servers are behind locked doors,
if someone gets bribed, it has to be me, because I'm the only one with
access to the server rooms, except for the director of the company ... and
it'll take a whole lot of dough to bribe that guy ;-)
By the way,
any opinions on VPN in general ?
I was thinking about setting up a PPTP NT box behind firewall ... and with
the MAC filter, I shouldn't really worry about script kiddies getting
passwords, as for the more experienced hackers ...
maybe I should go for IPSEC, but I don't like this header auth process ...
I'm currently looking into CIPE ... but haven't tested it yet ...
this is seriously getting off topic ...
Schaaf To: Gert.Vandelaer@medisearch-int.com
<firstname.lastname@example.org> cc: email@example.com
Subject: Re: Can IP / MAC spoofing be blocked ?
> Is there a way to check for spoofed MAC addresses via Netfilter
> Or is there some other way this can be accomplished, taking into account
> that when someone spoofs a MAC address, it's probably because he tried IP
> spoofing first, but saw that this failed ...
Not neccessarily. He could have known IP and MAC before the attack,
by bribing an insider, or having a sniffer somewhere. You can probably
learn most interesting things from broadcast ARP requests.
> And when he then spoofs the IP as well as the MAC address, what else can
> filter on ?
If you really care, think hard about the words "physical security", in
the context of just where could a perpetrator inject the malicious packets.
Those are the places you have to protect.
Hmm. Write a netfilter match for checking an external physical alarm line?