[plug] OT: Smoothwall

Brad Campbell brad at seme.com.au
Mon Aug 13 11:14:14 WST 2001


EarnshawM at wa.switch.aust.com wrote:
> suppose, how do I or should I go about detecting "spoofed" <?> intrusions,
> where some sends a packet with a incorrectly reported ip .. 192.168.1.1 for
> example. I know they should be dropped when traversing the Internet but I
> do seem them every now and then in some logs at work.

As an extra to that question.
If I have a box, with ppp0 and eth0 on it. The default route is through ppp0
and 192.168.1.* is routed through eth0.

A spoofed packet comes in from 192.168.1.1 sourced through ppp0.
Should the reply to that packet be routed through eth0, therefore
the sender of the spoofed packet will get no reply.
If so, then the packet spoofing could not be used to establish a connection,
just provide transport for an attack that requires no reverse traffic.

Am I wrong?

<Off to look up some detailed docs on packet spoofing>


-- 
Brad....
                   /"\
Save the Forests   \ /     ASCII RIBBON CAMPAIGN
Burn a Greenie.     X      AGAINST HTML MAIL
                   / \



More information about the plug mailing list