On Tue, Jul 01, 2003 at 10:22:33AM +0200, Volker Tanger wrote: > ...which is the official license to shoot yourself into the foot. What > happens if I send you a forged, suspicious packet with source-IP equal > to the IP address of your gateway router, your DNS server, your internal > system(s), ...
This is not necessarily a serious problem. In case of using Snort as an IDS you can make it send alerts only for established TCP sessions. You are right when you assume that a single IP packet with a spoofed source address makes your system go nuts. However running snort with options "-z est" does exactly this. It's very hard (if not hardly possible) to spoof established TCP sessions. I was already thinking about packaging "guardian" which creates iptables/ipchains rules for every established connection which looks dangerous. Unfortunately the quality of the upstream package is currently 'garbage'. In addition any script doing such dynamic blocking of other hosts should be able to know which network is friend and which is foe. :) Christoph -- ~ ~ ".signature" [Modified] 3 lines --100%-- 3,41 All
