Can IP / MAC spoofing be blocked ?

Gert.Vandelaer@medisearch-int.com Gert.Vandelaer@medisearch-int.com
Thu, 19 Jul 2001 10:32:54 +0200 

Hy Patrick,

I took into account the possibility of a sniffer, which is something that
needs to be done on a LAN,
I have no experience in sniffing MAC addresses of regged IP's (interfaces),
but it shouldn't be too hard.
As for dial-in accounts, the sniffing becomes much harder ... you'd
probably have to spoof yourself as the VPN server (endpoint, point of
authentication),
which implies DNS spoofing ... and than wait for the VPN client to try and
initiate a connection and steal the MAC address.

There has got to be a way this can be controlled ... how about other
firewalling tools (non Linux for example), I only have experience with
"WinRoute Pro" on non Unix platforms ...

As for "physical security", all servers are behind locked doors,
if someone gets bribed, it has to be me, because I'm the only one with
access to the server rooms, except for the director of the company ... and
it'll take a whole lot of dough to bribe that guy ;-)

By the way,
any opinions on VPN in general ?

I was thinking about setting up a PPTP NT box behind firewall ... and with
the MAC filter, I shouldn't really worry about script kiddies getting
passwords, as for the more experienced hackers ...
maybe I should go for IPSEC, but I don't like this header auth process ...
I'm currently looking into CIPE ... but haven't tested it yet ...

Anyway,
this is seriously getting off topic ...

Cya,
Gert




                                                                                                                                
                    Patrick                                                                                                     
                    Schaaf               To:     Gert.Vandelaer@medisearch-int.com                                              
                    <bof@bof.de>         cc:     netfilter@lists.samba.org                                                      
                                         Subject:     Re: Can IP / MAC spoofing be blocked ?                                    
                    18/07/2001                                                                                                  
                    09:06 PM                                                                                                    
                                                                                                                                
                                                                                                                                




> Is there a way to check for spoofed MAC addresses via Netfilter
(iptables)

No.

> Or is there some other way this can be accomplished, taking into account
> that when someone spoofs a MAC address, it's probably because he tried IP
> spoofing first, but saw that this failed ...

Not neccessarily. He could have known IP and MAC before the attack,
by bribing an insider, or having a sniffer somewhere. You can probably
learn most interesting things from broadcast ARP requests.

> And when he then spoofs the IP as well as the MAC address, what else can
we
> filter on ?

If you really care, think hard about the words "physical security", in
the context of just where could a perpetrator inject the malicious packets.
Those are the places you have to protect.

Hmm. Write a netfilter match for checking an external physical alarm line?

regards
  Patrick