From owner-freebsd-security  Wed Dec  8 14:19:18 1999
Delivered-To: freebsd-security@freebsd.org
Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193])
	by hub.freebsd.org (Postfix) with ESMTP id 9EAA115245
	for <freebsd-security@FreeBSD.ORG>; Wed,  8 Dec 1999 14:19:11 -0800 (PST)
	(envelope-from adam@algroup.co.uk)
Received: from algroup.co.uk (freeby.wessex.aldigital.co.uk [192.168.192.3]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id WAA28565; Wed, 8 Dec 1999 22:17:31 GMT
Message-ID: <384ED7F4.61804910@algroup.co.uk>
Date: Wed, 08 Dec 1999 22:13:08 +0000
From: Adam Laurie <adam@algroup.co.uk>
Organization: A.L. Group plc
X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 3.2-RELEASE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Mark Newton <newton@atdot.dotat.org>
Cc: "Scott I. Remick" <scott@computeralt.com>,
	freebsd-security@FreeBSD.ORG
Subject: Re: What kind of attack is this?
References: <4.2.2.19991208162315.00b5f4e0@mail.computeralt.com> <19991209083140.A7509@atdot.dotat.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Mark Newton wrote:
> 
> On Wed, Dec 08, 1999 at 04:51:11PM -0500, Scott I. Remick wrote:
> 
>  > I know that's what firewalls are for, and that's why I'm working on
>  > one.  Holdup is time-constraints and red-tape and corporate politics and
>  > screwed up priorities and so on, so let's just leave it that the firewall
>  > is coming but is not here yet (if you remember back, this is the company
>  > that wants to use MS Proxy).
> 
> heheh.  That's probably why you're being attacked :-)
> 
>  > So how does one protect themselves against such an attack?  I have an
>  > Ascend Pipeline 50 router which I'm trying to sort out from the manuals a
>  > way to use its filters and how it behaves if rules overlap (what I'm
>  > thinking is trying to find a way to block all incoming UDP packets EXCEPT
>  > the type which are known to be good).
> 
> Get a FreeBSD box with two ethernet interfaces.  Enable ipfw.  Start
> with rules that look like this:
> 
>   ipfw add pass udp from any GOODPORT to any in via OUTSIDE-INTERFACE
>   i in via OUTSIDE-INTERFACE
>   ipfw add pass all from any to any

No, that would be bad. If they can spoof their address, they can
certainly spoof the source port (get a copy of netcat (respex to hobbit)
and have a play if you don't believe it).

cheers,
Adam
--
Adam Laurie                   Tel: +44 (181) 742 0755
A.L. Digital Ltd.             Fax: +44 (181) 742 5995
Voysey House                  
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message