On Tue, 30 Oct 2001, Andreas Achtzehn wrote: hi,
From: spiekey [mailto:spiekey@hotmail.com] Sent: Tuesday, October 30, 2001 2:37 PM To: suse-security@suse.com Subject: [suse-security] how to detect spoofing hosts
Hello! Let´s say i have a big LAN, with a few gateways and a firewall. As bigger your networks get´s the more you will be conflicted with pepole who want to "explore" your LAN. Thats why i was wondering how you can detect spoofing hosts. And why can spoofing be so dangerous, i couldn´t think of an good example. Spoofing is dangerous because some services still rely on source-addresses for authentication. This is depreciated behaivior, however. Spoofing from external net into LAN maybe allows to bypass firewall-rules; dangerous too. Setting up the firewall to block traffic on external device which seem to come from internal addresses should be included in standard-configuartion. Linux kernel is capable of doing some 'consistency-checks' on his own if rp_filter in /proc is set. It uses the routing table to determine whether or not the packet could have arrived regulary on the specific device.
Thank you!
Spiekey
try using arpwatch. It will detect IP-Spoofing if the attacker is unable to spoof his MAC.
Well, arpwatch is just a reporting mechanism, and it sends mail to the sysop if it detected a ARP-poisoning attack, but its like telling the attacker himself that he succeeded. :-) [because arpwatch probably needs ARP-table entries:] Its probably better to enable port-security on your switches. Sebastian -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~