> Adding a rule for the interface denying packets from oneself appears to
> defend against the new attack.
>
> This rule worked:
> 03001 deny ip from 128.2.91.57 to 128.2.91.57 via ed0
> Where 128.2.91.57 is the host's IP address on device ed0.
>
> Adding this to rc.firewall on FreeBSD is also a good idea. Multi-homed
> hosts require one entry per device, needless to say.
With terminal servers which have IP addresses which move from interface
to interface, the following rules are more generic:
----------------------------------------------
#!/bin/sh
/sbin/ipfw add 1 allow ip from any to any via lo0
for ip in 127.0.0.1 192.2.3.4 192.2.3.6 192.7.8.9
do
/sbin/ipfw add 2 deny log ip from $ip to any in
done
-----------------------------------------------
The above will prevent all self-spoofing attacks. The posted (and
merged) fix in tcp_input.c will not prevent attacks where packets are
formed to go from one interface to another on a multi-homed machine.
I have not verified that the multi-homed attack works, but my guess is
that it would.
Sigh. I had made a start on reducing vulnerability to this sort of thing
in rc.firewall, but I had only got as far as 127.0.0.0/8 and had to get
back to money-earning work. Looks like I should finish the job.
Danny