Re: Req: info on IP range popup ad software supposedly called "Extreme Marketing"
From: Todd Knarr (tknarr@silverglass.org)
Date: 12/31/02
- Next message: LXIX: "Re: Req: info on IP range popup ad software supposedly called "Extreme Marketing""
- Previous message: Brian E: "Content Filtering Statistics. What to expect?"
- In reply to: Joe Schmoe: "Re: Req: info on IP range popup ad software supposedly called "Extreme Marketing""
- Next in thread: Joe Schmoe: "Re: Req: info on IP range popup ad software supposedly called "Extreme Marketing""
- Reply: Joe Schmoe: "Re: Req: info on IP range popup ad software supposedly called "Extreme Marketing""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Todd Knarr <tknarr@silverglass.org> Date: Tue, 31 Dec 2002 02:00:23 GMT
In comp.security.misc <pan.2002.12.31.01.05.40.224115@forme.com> Joe Schmoe <nomail@forme.com> wrote:
> Why would it be inbound? I'm talking about generating a valid IP that
> exists within your own subnet that will pass an outbound filter. The
> machine generating the packet AND the spoofed IP are both on the same
> subnet controlled by the same router.
It'd depend on the filtering. I'd probably implement rules that would
prevent both scenarios. Examples:
1. Dial-up. The controller in the modem racks knows which IP address was
assigned to each dial-in line. Ingress filtering is applied to each
line prohibiting any packets sourced from an IP address not associated
with that line.
2. Ethernet. I'd pick a switch that could filter on MAC and IP addresses,
and configure it to drop all packets on a port not from an address that
should be hooked up to that port. Depending on hubs and unmanaged switches
there may be a range of addresses usable on a given managed port, but it
should be small. For maximum paranoia, associate MAC addresses with ports
and filter on that. That makes it impossible to impersonate another NIC at
a cost in troubleshooting when people change NICs or equipment.
3. Cable modems. The CMTS knows the IP address assigned to a given cable
modem, and it's a bitch to forge the CM serial number. Configure the
CMTS to kill any modem sourcing packets from anything other than the
addresses properly assigned to it.
What this amounts to is basic ingress filtering, but on the other side
of the ISP's network (customer->ISP instead of Internet->ISP). The worst
of the lot is the Ethernet one if you've got a deep or wide hub tree, so
each port on the switch has a lot of machines hanging off it. You get a
lot of performance/collision issues in that case too, so from both a
security and a performance standpoint it'd be better to install more
managed switches and trim down the unmanaged subtrees to a manageable
size.
--
If you are going to kill me then do so. Otherwise, I have considerable
work to do.
-- Lennier
- Next message: LXIX: "Re: Req: info on IP range popup ad software supposedly called "Extreme Marketing""
- Previous message: Brian E: "Content Filtering Statistics. What to expect?"
- In reply to: Joe Schmoe: "Re: Req: info on IP range popup ad software supposedly called "Extreme Marketing""
- Next in thread: Joe Schmoe: "Re: Req: info on IP range popup ad software supposedly called "Extreme Marketing""
- Reply: Joe Schmoe: "Re: Req: info on IP range popup ad software supposedly called "Extreme Marketing""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
