On 25.01.2017 15:42, C. L. Martinez wrote: > On Wed, Jan 25, 2017 at 02:07:55PM +0000, Stuart Henderson wrote: >> On 2017-01-25, C. L. Martinez <carlopm...@gmail.com> wrote: >>> Hi all, >>> >>> I have received a (maybe) "stupid" request from one of our customers. >>> We have a pair of public OpenBSD firewalls (CARPed) that our development >>> team use to access to several customers via VPN IPsec tunnels. But this >>> morning we have received a request from one of these cutomers to access >>> to our development servers using only one acl to permit their public IP >>> address (without using VPN IPsec, or VPN SSL tunnels). >>> >>> And my (OT) question: how easy is to do a MITM attack (DNS spoofing >>> for example, or another type of attack that permits to fake source >>> public ip address) in this scenario? >> >> For an attacker with no access to endpoints or network in between: >> >> - For many protocols including UDP, it is absolutely trivial to send >> traffic from a fake source address. > > But, only SYN can be sent, right?? Source's attacker ip address will not > receive ACK, etc. Is it correct? If it is, he/she/they only can do DoS > attack, they can't steal information, right? >
UDP and many other protocols are connectionless, so there is no such thing as SYN/ACK. You basically just send your data package and hope it somehow gets to its destination. https://en.wikipedia.org/wiki/User_Datagram_Protocol >> >> - With TCP it depends on various things but sometimes you can predict >> enough of the IP stack behaviour to spoof blindly and send data. >> reassemble tcp + random-id can help. >> >> If an attacker can MITM (either by getting $client to send to their >> machine instead of yours directly, they can obviously log or modify >> packets before forwarding on to the real server. It depends what >> you're running over it as to whether this is a problem. >> > > Uhmmm ... but in this case, I don't see how an attacker can fake original ip > public source address ... Any theorical example? > > Many thanks Stuart for your help. > > In an MITM scenario, the send data packets actually flow _trough_ the MITM's machine before they are forwarded to your machine. No need to fake original source address, as it won't be changed. Think of the MITM's machine as a simple router interconnecting your and the $client's WAN. https://en.wikipedia.org/wiki/Man-in-the-middle_attack -- Unix _IS_ user friendly - it's just selective about who its friends are!