Re: iptables spof address problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Derick Anderson napisał(a):


Responses inline.

Hello everyone

I have simple question.

Lets assume that we have Linux with IP=10.0.0.2 with iptables and it is logging all incomming ssh connection. Log file contains both IP and MAC addresses of the computers which bind to this service. Lets assume that we have another PC connected into LAN with IP=10.0.0.100.

Attacker with IP  = 10.0.0.200 runs:
hping2 -S --spoof 10.0.0.100 -p 22 --faster 10.0.0.2 - which will cause DoS of SSH service on 10.0.0.2

Netfilter logs all incomming on 22 port traffic. It shows that connections come from IP 10.0.0.100 and it shows real MAC address of this computer (10.0.0.100) instead of MAC address of attackers computer (IP 10.0.0.200).

So result is that we think that real attacker is computer with IP 10.0.0.100

I've never used hping before, but I believe when an IP address is
spoofed correctly this is the expected behavior. Bits are bits.
Moreover.

Lest assume that spoofed address is IP which is not assignet in the local network. Netfilter logs incomming traffic but it shows MAC address unknown or completely unpredictable (Windows shows all 0-ros, Linux 12 bytes long MAC address).

Result is that we completely don't know who is the attacker, cannot track him down even we have registered MAC addresses of all computers in local network.


This is not a question of routing Layer 2. All computers are in one
local network in the same subnet, so there is no need to route pakets.
This seems to me that even if data arrives to NIC of Linux computer with
netfilter, from computer with MAC address, this MAC address is unseen to
netfilter, because before it is passed to netfilter, TCP/IP stack tries
to resolve MAC sending ARP lookup. Sa finally netfilter gets wrong MAC.
Not sender but ARP lookup.

Tell me if I am wrong.

Regards

PiotrH

MAC addresses are Layer 2. Layer 2 does not route, so at best you see
the MAC address of the router. I'm not sure what you mean by all
"0-ros"... I believe 00:00:00:00:00:00 is the "nothing" MAC address
similar to 0.0.0.0 for IP (generally seen when a computer is requesting
DHCP). ff:ff:ff:ff:ff:ff is used in ARP queries but I don't recall all
0's being used.

It works like this with FC4, also have this problem on RedHat 3.0.

How can I make netfilter to log MAC address of the attackers computer, not this one which is resolved by TCP/IP stack ? Is it possible?

Regards

PiotrH

You can't. Netfilter uses the kernel stack like every other program
(someone correct me if I'm wrong). You could try using ARPWatch to help
you monitor your network but even then I believe a successful MAC/IP
spoof will go unnoticed.

Derick Anderson








[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux