North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: address spoofing
>I have traces of FTP PORT directives with Net 10 addresses in them, and >even one in which a public address was included in the first PORT directive >but a Net 10 address in a retransmission of the same directive! i've seen a situation where this happens. the ipfw and ipnat code that has been integrated into operating systems like netbsd and openbsd have a "bug" (or a feature, depending on your point of view) where the port command doesn't get rewritten if the crlf that terminates the line of the port command are sent in a separate packet to the ipnat router. in this case the offending sender was a linux box (surprise?). since the ipnat code insisted that the crlf come in the same packet, the port command went out with an (internal) address. my fix for the problem was to remove the check for the crlf. two other possible fixes are to drop the incomplete port command (and force retransmission) or to "buffer" the partial command and wait for the rest. -- |-----< "CODE WARRIOR" >-----| [email protected] * "ah! i see you have the internet [email protected] (Andrew Brown) that goes *ping*!" [email protected] * "information is power -- share the wealth."