On Monday 16 July 2007 16:10:04 Philipp Snizek wrote:
On Monday 16 July 2007 15:17:53 Philipp Snizek wrote:
I have this scenario:
Subnet A Hosts n ----- Gateway ----- Fileservers NFS
Hosts n: mark packets Gateway: uses mark to make routing desicion
Hosts n get their IP address via DHCP (IP address lease decision
on the client's MAC address). It is extremely simple to attach a notebook to Subnet A, spoof a
client's IP and MAC addresses get UID and username and do the worst.
Over the weekend I tried packet marking using iptables mark and
targets to label pakets at the Hosts n (iptables output -j MARK rule) and to have the Gateway based on these labels decide what to do with the pakets (ip rule with fwmark). I stopped trying when I found out that
labels are not given permanently when a marked packet leaves the interface of a host n.
As I very much like the idea of labeling packets I wonder whether
concept is possible with other linux tools.
Or how would you do it?
Thanks for your attention
How are you using the marks? If a client can spoof the IP and MAC address, it could do so with the marks too.
Yes, it could, but then the attacker somehow has to learn what the mark looks like. If the attacker doesn't know the gateway will notice the spoofing with the first incoming packet. And thus, alerting the spoofing will not be a problem anymore.
Spoofing the mark is as easy as spoofing the IP and MAC.
I generally agree with you. It is also easy to change the mark into unpredictability. But, as I said - unless you know otherwise - iptables marks are set as long as the packets are in the kernel. So marking packets seems not the way to go. Therefore, there is no point in discussing the spoofability of iptables marks.
The only way I can think of would be a man-in-the-middle attack (e.g. with a notebook that has 2 interfaces set up as a linux bridge). I also thought about using SECMARK with SELinux but that is too much of a pain and therefore too expensive to build. Also, I do not know whether SECMARK painted packets are painted permanently.
You don't need to have two network interfaces to do a man-in-the-middle attack. And that is the beauty of it - it is so simple:) You do that with IP and MAC spoofing and is as simple as running a little tool, publicly available.
Sure it is. That is why I would want to paint the packets. We are discussing now who was first. The egg or the chicken.
-- Blade hails you...
I know my dreams are made of you Of you and only for you --Nightwish
--------------------------------------------------------------------- To unsubscribe, e-mail: email@example.com For additional commands, e-mail: firstname.lastname@example.org