> Matthew (matt_at_ott.opcom.ca) wrote:
...
> On a similar note, a more practical example is this
> condition will occur if any NFS request (mount, getattr, etc.
> etc.) has the source IP field set to 127.0.0.1. This can
> happen in certain circumstances - I believe there is a patch
> for HP/UX 9.x under certain platforms that prevents this
> specific condition from occurring. (Any HP that mounts a
> SunOS 4.1.x server could cause it to crash merely by mounting
> it!).
>
> If anyone is feeling frisky, start playing with a SunOS box
> and try injecting spurious IP packets onto the wire... since
> SunOS doesn't have the nifty DLPI interface that Solaris has,
> it is probably susceptible to many, many similar attacks
> using the standard IP stack.
Indeed, ipsend tests crash many boxes at this time, and that's just
using standard off-the shelf tests.
The way to stop many of these classes of attacks from over the Internet
is to follow the recommendations in "Eliminating IP Address Forgery"
(available at http://all.net/ under the Info-Sec Super Journal in
"Network Security") - however, these techniques will not stop them all.
For example:
UDP
>From: victim-1
To: victim-2
>From port: 7
To port: 11
When each is a legitimate address will cause such a loop. Since each is
a legitimate address and each is on a different service port, even some
fairly sophistocated router-based defenses fail. Good advice is to turn
off all UDP services that don't have strict format requirements.
-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 330-686-0090 - PO Box 1480, Hudson, OH 44236
Received on May 23 1996
Intro
