BayLISA - July 15, 2004 - Mark Langston's Through a Sniffer Darkly

• Previous message: BayLISA - July 15, 2004 - Mark Langston's Through a Sniffer Darkly
• Next message: BayLISA - July 15, 2004 - Mark Langston's Through a Sniffer Darkly
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> 
> There are numerous ways one could (and in some cases should) block outbound
> packets generated by Mark's software:
> 1. A reasonable sysadmin must block outbound packets that are not actually
> coming from its own IP address space; 
> 2. A reasonable sysadmin should, if they're concerned about security, do
> internal filtering to ensure people can't IP-spoof across internal
> networks; 


Agreed wholeheartedly.  In fact, one of the things I usually do when I
describe/present this code is say, "Now, see?  If you'd do some
source-address spoof-prevention, you wouldn't have this problem!"

What I generally don't point out (because it should be fairly obvious)
is that source-address filtering at the firewall and router solves a
host of other problems as well, all generally associated with various
types of malware.

-- 
Mark C. Langston            GOSSiP Project          Sr. Unix SysAdmin
mark at bitshift.org   http://sufficiently-advanced.net    mark at seti.org
Systems & Network Admin      Distributed               SETI Institute
http://bitshift.org         P2P Antispam          http://www.seti.org

• Previous message: BayLISA - July 15, 2004 - Mark Langston's Through a Sniffer Darkly
• Next message: BayLISA - July 15, 2004 - Mark Langston's Through a Sniffer Darkly
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]