On Monday 16 July 2007 16:10:04 Philipp Snizek wrote: > > On Monday 16 July 2007 15:17:53 Philipp Snizek wrote: > >> Hi > >> > >> I have this scenario: > >> > >> Subnet A > >> Hosts n ----- Gateway ----- Fileservers NFS > >> > >> Hosts n: mark packets > >> Gateway: uses mark to make routing desicion > >> > >> Hosts n get their IP address via DHCP (IP address lease decision based > >> on > >> the client's MAC address). > >> It is extremely simple to attach a notebook to Subnet A, spoof a legal > >> client's IP and MAC addresses get UID and username and do the worst. > >> > >> Over the weekend I tried packet marking using iptables mark and connmark > >> targets to label pakets at the Hosts n (iptables output -j MARK rule) > >> and > >> to have the Gateway based on these labels decide what to do with the > >> pakets (ip rule with fwmark). I stopped trying when I found out that the > >> labels are not given permanently when a marked packet leaves the > >> interface > >> of a host n. > >> > >> As I very much like the idea of labeling packets I wonder whether such a > >> concept is possible with other linux tools. > >> > >> Or how would you do it? > >> > >> Thanks for your attention > > > > Hi, > > > > How are you using the marks? If a client can spoof the IP and MAC > > address, it > > could do so with the marks too. > > Yes, it could, but then the attacker somehow has to learn what the mark > looks like. If the attacker doesn't know the gateway will notice the > spoofing with the first incoming packet. And thus, alerting the spoofing > will not be a problem anymore. Spoofing the mark is as easy as spoofing the IP and MAC. > The only way I can think of would be a man-in-the-middle attack (e.g. with > a notebook that has 2 interfaces set up as a linux bridge). > I also thought about using SECMARK with SELinux but that is too much of a > pain and therefore too expensive to build. Also, I do not know whether > SECMARK painted packets are painted permanently. You don't need to have two network interfaces to do a man-in-the-middle attack. And that is the beauty of it - it is so simple:) You do that with IP and MAC spoofing and is as simple as running a little tool, publicly available. -- Blade hails you... I know my dreams are made of you Of you and only for you --Nightwish
Description: This is a digitally signed message part.