Re: Multihome based network attacks

---

• From: krymson@xxxxxxxxx
• Date: 24 Aug 2006 14:54:21 -0000

---

I'll answer your questions in reverse order. I will state that I might mispeak or have inaccuracies here, so I implore you to search google for your terms, or maybe other listusers will speak up and correct me.

Yes, strong host models are not susceptible to multihomed attacks. Weak host models are susceptible.

First of all, a multihome situation involves a computer having two or more NICs and having separate network configurations on each one. An easy example would be using the wireless NIC in a laptop while it is also plugged into a wired network. This would put the laptop on two networks and "multihome" it.

A weak host model will accept packets from either of those networks and give it to the appropriate NIC that is on that network. For instance, if you are running a web server that is only listening on the wired network, but someone happens to send a packet to that web server over the wireless network using the wired NICs IP address, the OS will go ahead and move it over to the wired NICs stack.

An OS like Windows XP likes to have usability over security, and implements a weak host model. Vista will be using a strong host model.

Now, what about attacks? Well, attacks like this I wouldn't expect to find all that often, but there is some mischief I imagine you could do, especially if you have some knowledge of your target's two networks.

1) You can launch exploit attacks against services on either network, provided you are on one of the networks and know the IP addressing of the other network. In the example above, I could craft an exploit packet against your web server to penetrate it from the wireless network. The bad part, is that I won't get a response because the web server will attempt to communicate replies out to the other network. But if I could get a local admin account created, I can get into the system through the wireless network, then.

2) You can flood spoofed packets from the wireless network into the system, which may generate responses and traffic on the wired network. Again, though, you need to know the wired IP network addressing.

I wouldn't consider such attacks terribly lucrative, because it requires some insider knowledge or good guessing on what is running on a system and the other networks the system is present on. To protect yourself, you should try to keep all end-users systems, particularly laptops, using only one network at a time. Don't let users both plug into the wired network while also using the wireless.

One of the more interesting places I see this being a possible issue would be in a corporate environment where users have laptops and wireless networking while also having wired networks at their desk. This would be especially important for teams like developers who might run insecure web server setups on their Windows XP boxes... This would all be compounded by using easily guessable network address spaces on the wired network and insecure wireless configurations that could allow someone in the parking lot to associate or break into. A disgruntled employee or former employee could cause a little drama...but chances are if someone is running insecure systems on the wired network, they will also be insecure on the wireless, and probably can be directly attacked without needing to resort to multihome attacks.

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

---

• Prev by Date: Re: Writing a comprehensive Network Policy
• Next by Date: Re: Writing a comprehensive Network Policy
• Previous by thread: Multihome based network attacks
• Next by thread: RE: Multihome based network attacks
• Index(es):
  • Date
  • Thread

---

Relevant Pages A Network IPS Proposal (was Definition of Zero Day Protection) ... I did a research on Network IPS a while back when the ... > api gating layers and are continuing to greatly ... > implementations have detection properties for zero ... > day attacks. ... (Focus-IDS) RE: Need help from a group of experts. I am not a network expert but I play one on tv. ... preventing file attachments alone won't stop all email attacks. ... Sonicwall is a good firewall...but any firewall depends on how well you ... I am not a network expert ... - Precisely Define and Implement Network Security ... (Security-Basics) RE: Pre-Scanning for Marketing ... The controlling interest of the network has to have a inclination to secure ... vulnerabilities are easily and efficiently identified. ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, ... (Pen-Test) Re: Biometrics ... I'd feel safer on an OS designed as such, not as a network client - ... the Internet is a world of strangers. ... Compare this Windows Vista: if someone ... lot of information about attacks from this data. ... (microsoft.public.security) Re: How secure is SSL emails? ... > - Your remailer generates no traffic eventually delivered to mailboxes ... > messages could subscribe to a remailer network, ... These attacks have long been known, ... Bob decides to work on the designs that can be built, ... (sci.crypt)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > security-basics  > 2006-08