On Wed, Jan 25, 2017 at 02:07:55PM +0000, Stuart Henderson wrote: > On 2017-01-25, C. L. Martinez <carlopm...@gmail.com> wrote: > > Hi all, > > > > I have received a (maybe) "stupid" request from one of our customers. > > We have a pair of public OpenBSD firewalls (CARPed) that our development > > team use to access to several customers via VPN IPsec tunnels. But this > > morning we have received a request from one of these cutomers to access > > to our development servers using only one acl to permit their public IP > > address (without using VPN IPsec, or VPN SSL tunnels). > > > > And my (OT) question: how easy is to do a MITM attack (DNS spoofing > > for example, or another type of attack that permits to fake source > > public ip address) in this scenario? > > For an attacker with no access to endpoints or network in between: > > - For many protocols including UDP, it is absolutely trivial to send > traffic from a fake source address.
But, only SYN can be sent, right?? Source's attacker ip address will not receive ACK, etc. Is it correct? If it is, he/she/they only can do DoS attack, they can't steal information, right? > > - With TCP it depends on various things but sometimes you can predict > enough of the IP stack behaviour to spoof blindly and send data. > reassemble tcp + random-id can help. > > If an attacker can MITM (either by getting $client to send to their > machine instead of yours directly, they can obviously log or modify > packets before forwarding on to the real server. It depends what > you're running over it as to whether this is a problem. > Uhmmm ... but in this case, I don't see how an attacker can fake original ip public source address ... Any theorical example? Many thanks Stuart for your help. -- Greetings, C. L. Martinez