On Mon, 29 Aug 2016 at 10:21, Neal P. Murphy <neal.p.mur...@alum.wpi.edu> wrote:
> On Sun, 28 Aug 2016 14:35:01 +0200 > Frederic Marchal <frederic.marc...@wowtechnology.com> wrote: > > > The attack is also useless if the attacker can't spoof the source IP > > address. Routers in corporate environments usually block this by design > or > > due to VLAN. For that reason, the attack can't come from the same LAN to > > bypass the border firewall. This rules out an unhappy coworker, infected > > computer or a student with too much time on his hands. > > This is the first and foremost requirement. If the packets' source address > cannot be spoofed, the attack cannot be attempted. > > I'm less concerned with how many sites/protocols are vulnerable than I am > with how many ISPs allow spoofed packets out of their networks. It should > be trivial for any ISP to drop packets that, given the source address, > could not have originated within its network. > > In fact, I'd go so far as to say that no ISP should be allowed to connect > to the internet unless solid anti-spoofing measures are in place. > > The CVE may be primarily of academic interest, but it is still a > vulnerability that must be addressed. And the Debian crew will address it > soon enough. > > Version 4.7 of the kernel contains a fix, which only required changes to one source file, so I assume it's a question of back porting that fix into the Jessie version of the kernel. I might take a look at trying that and submit a patch if I can get it to work. (Now watch me trip over a dozen issues I didn't think of when I try this) Mark
