On Sat, Mar 10, 2001 at 10:22:48AM -0600, Ted Cabeen wrote: > if (BADCLASS(daddr) || ZERONET(daddr) || LOOPBACK(daddr)) > goto martian_destination; > > This is part of the routing check for incoming packets. It should take > care of the problem being discussed. :) > > (I haven't tested this section of the code, but it should prevent that kind > of attack, I think)
It should yes, however see the recent thread on Bugtraq about this issue. Also since log_martians is not enabled by default (unless your distro does so, and afaict potato at least does not) you will never hear a word about these packets. Logging them would be nice. Even with log_martians enabled, it doesn't tell you anything about the packet other than src, dst, and iface. Further, I'm not sure the martian code would stop a packet from landing on an "internal" interface other than loopback (again see the Bugtraq discussion) which is why we should (and do) filter the destination addresses of incoming packets as well as the source addresses. Thanks.