On Mon, 10 Jun 2002, Rick Murphy wrote: > You're wrong. An attacker can source route through you (for example, they > can use 'telnet 10.0.0.1@your-firewall-ip' to route to your private network.) > Mikael Olsson's attack also works - take over a host in the DMZ and alter > it's routing table, then you use that as a springboard to attack the > private network. > And, to be pedantic, there's nothing "illegal" about those addresses - > they're simply set aside for private network use. There's no guarantee that > any of the routers in the path between you and your attacker has blocking > enabled for those address ranges. Just to add to the pile, not all attacks require that packets make it back to the attacker- blind attacks tend to work just fine for some set of vulnerabilities greater than 0. Let's not forget encapsulation attacks too, not always possible, but things like VPN endpoints and misconfigured or easily compromised routers make those possible (a little different than springboarding.) Also- while I'm on the soapbox, folks should be implementing egress filtering at their borders for anything that isn't a legitimate exernal address, and logging and responding to exceptions if possible. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@patriot.net which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list Firewalls@lists.gnac.net For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls