On Sat, Nov 12, 2005 at 01:14:08AM +0000, Stuart Henderson wrote:
> On 2005/11/12 01:11:02, Joachim Schipper wrote:
> > > pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep
> > > state
> > > (max-src-conn-rate 3/10, overload <attackers> flush)
> >
> > This sort of thing is really popular, but I don't see the point.
>
> See pf.conf(5) about max-src-conn, and compare it with max-src-states.
That's true. Sorry, should have RTFMP.
Regardless, while this makes the attack more difficult, the added
difficulty doesn't amount to much. Hubs will allow sniffing easily, and
switches can usually be degraded to hubs.
Methinks a combination of sniffing the return traffic (SYN/ACK) and
forging the response is enough (this is assuming the spoofed host does
not return a RST for nonsense SYN/ACKs - I'm fairly certain that there's
a way around that too, most likely just racing the gateway, but that
would complicate matters unnecessarily).
I'm thinking of a couple of hosts, attached to a hub (or 'hubbable'
switch).
If this attack really doesn't work, well, I'll be happy to learn
something new and/or Read Some More FMP... but in the meanwhile, I can
live with the log entries.
(Of course, the real Braindead Error above was me seemingly thinking
that dropping the default gateway would help. Instead, drop some other,
more interesting host.)
Joachim
