Hello all!
I set up a firewall for a friend of mine who has a cable modem. It contains
two NIC's, eth0 had the address 192.168.0.1 (I changed this to 192.168.123.45,
to be able to set a route to 192.168.0.0 over eth1), eth1 is the outside NIC,
let's say it uses IP address 200.201.202.203.
One day his log started filling up with entries like this:
Jul 20 03:30:24 joy kernel: Packet log: input DENY eth1 PROTO=17
192.168.0.1:68 255.255.255.255:67 L=328 S=0x00 I=2108 F=0x0000 T=128 (#3)
There are litteraly hundreds of these entries. So somebody is spoofing him
with a local address, and trying something with bootp (other entries using
other ports and source/destination addresses have occured later). As mentioned
I changed the local address, to be able to set a route over eth1 to network
192.168.0.0, using 200.201.202.203 as the gateway. I can then ping
192.168.0.1, but get no answer. If I try to set a route over the ISP's gateway
(say 200.201.202.1) I get a 'packed filtered' response on ping 192.168.0.1,
which of course is a good thing.
So this is the situation. Now for the questions:
1) Am I correct in assuming that this spoof can only come from the ISP's
network? If not, how does one route such requests?
2) Does anyone have suggestions on how to counter such spoofs? Pointers to
relevant websites are appreciated, and personal experiences are also welcome.
CU O,
Leonard.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
