iptables spof address problem
danderson at vikus.com
Wed Sep 28 23:13:24 CEST 2005
> Hello everyone
> I have simple question.
> Lets assume that we have Linux with IP=10.0.0.2 with iptables
> and it is logging all incomming ssh connection. Log file
> contains both IP and MAC addresses of the computers which
> bind to this service.
> Lets assume that we have another PC connected into LAN with
> Attacker with IP = 10.0.0.200 runs:
> hping2 -S --spoof 10.0.0.100 -p 22 --faster 10.0.0.2 -
> which will cause DoS of SSH service on 10.0.0.2
> Netfilter logs all incomming on 22 port traffic. It shows
> that connections come from IP 10.0.0.100 and it shows real
> MAC address of this computer (10.0.0.100) instead of MAC
> address of attackers computer (IP 10.0.0.200).
> So result is that we think that real attacker is computer
> with IP 10.0.0.100
I've never used hping before, but I believe when an IP address is
spoofed correctly this is the expected behavior. Bits are bits.
> Lest assume that spoofed address is IP which is not assignet
> in the local network. Netfilter logs incomming traffic but it
> shows MAC address unknown or completely unpredictable
> (Windows shows all 0-ros, Linux 12 bytes long MAC address).
> Result is that we completely don't know who is the attacker,
> cannot track him down even we have registered MAC addresses
> of all computers in local network.
MAC addresses are Layer 2. Layer 2 does not route, so at best you see
the MAC address of the router. I'm not sure what you mean by all
"0-ros"... I believe 00:00:00:00:00:00 is the "nothing" MAC address
similar to 0.0.0.0 for IP (generally seen when a computer is requesting
DHCP). ff:ff:ff:ff:ff:ff is used in ARP queries but I don't recall all
0's being used.
> It works like this with FC4, also have this problem on RedHat 3.0.
> How can I make netfilter to log MAC address of the attackers
> computer, not this one which is resolved by TCP/IP stack ? Is
> it possible?
You can't. Netfilter uses the kernel stack like every other program
(someone correct me if I'm wrong). You could try using ARPWatch to help
you monitor your network but even then I believe a successful MAC/IP
spoof will go unnoticed.
More information about the netfilter