On Wed, Jan 25, 2017 at 08:20:32PM +0100, Daniel Gillen wrote: > On 25.01.2017 15:42, C. L. Martinez wrote: > > On Wed, Jan 25, 2017 at 02:07:55PM +0000, Stuart Henderson wrote: > >> On 2017-01-25, C. L. Martinez <carlopm...@gmail.com> wrote: > >>> Hi all, > >>> > >>> I have received a (maybe) "stupid" request from one of our customers. > >>> We have a pair of public OpenBSD firewalls (CARPed) that our development > >>> team use to access to several customers via VPN IPsec tunnels. But this > >>> morning we have received a request from one of these cutomers to access > >>> to our development servers using only one acl to permit their public IP > >>> address (without using VPN IPsec, or VPN SSL tunnels). > >>> > >>> And my (OT) question: how easy is to do a MITM attack (DNS spoofing > >>> for example, or another type of attack that permits to fake source > >>> public ip address) in this scenario? > >> > >> For an attacker with no access to endpoints or network in between: > >> > >> - For many protocols including UDP, it is absolutely trivial to send > >> traffic from a fake source address. > > > > But, only SYN can be sent, right?? Source's attacker ip address will not > > receive ACK, etc. Is it correct? If it is, he/she/they only can do DoS > > attack, they can't steal information, right? > > > > UDP and many other protocols are connectionless, so there is no such > thing as SYN/ACK. You basically just send your data package and hope it > somehow gets to its destination. > > https://en.wikipedia.org/wiki/User_Datagram_Protocol
Yep, sorry. My mistake. I am referring to TCP connections ... > > >> > >> - With TCP it depends on various things but sometimes you can predict > >> enough of the IP stack behaviour to spoof blindly and send data. > >> reassemble tcp + random-id can help. > >> > >> If an attacker can MITM (either by getting $client to send to their > >> machine instead of yours directly, they can obviously log or modify > >> packets before forwarding on to the real server. It depends what > >> you're running over it as to whether this is a problem. > >> > > > > Uhmmm ... but in this case, I don't see how an attacker can fake original > > ip public source address ... Any theorical example? > > > > Many thanks Stuart for your help. > > > > > > In an MITM scenario, the send data packets actually flow _trough_ the > MITM's machine before they are forwarded to your machine. No need to > fake original source address, as it won't be changed. Think of the > MITM's machine as a simple router interconnecting your and the $client's > WAN. > > https://en.wikipedia.org/wiki/Man-in-the-middle_attack Thanks. I see the concept when you are in a LAN. But with a WAN, I can't see how you can accomplish this. For example: ip public source address is 1.1.1.1, destination public ip address is 2.2.2.2 and attacker ip public address is 3.3.3.3. To establish communications between these three elements, there are several routers between them to route packets. What I don't see is how when attacker sends packets to 2.2.2.2 using source public ip address 1.1.1.1, routers between all elements resturns these packets to attacker (which has 3.3.3.3 ip address) .... Sorry for my "basic" knowledge in these fields :) -- Greetings, C. L. Martinez
