[H-GEN] Network Nasties

Ian Lister s350797 at student.uq.edu.au
Thu Mar 2 02:38:31 EST 2000 

[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics.  Please observe the list's charter.          ]

On Thu, 2 Mar 2000, Everist, Geoff wrote:
>Ahh...that makes sense, thank you for your insight. It would be interesting
>to see if it is possible to get a packet destined for my address but with a
>spoofed source address in the private range delivered if sent from another
>ISP

Yes, that would be a good test (although of course you will not be able to
get a reply to your packet back to the source).

>    (i.e. to test whether my ISP's border routers are rejecting private
>source addresses coming in from the outside world). If they are, then the
>only worry I would have (if I was not doing my own filtering in my firewall)
>is from malicious hackers or compromised hosts within my ISP (ack!).
>
>Just taking that a litte further, how is using a private address space more
>secure? All it takes is one host on the network to be compromised, and the
>whole internal network is opened up.

Yes, but it does take one host on the network to be compromised. This is not
usually trivial :-), but given that (as you noted below) all customers are
part of the network (and there a quite a few customers), it does become a
lot more of a worry.

>                                     There does not appear to be any access
>restraints on the private address space; I have a bog standard permanent
>modem account (I do not use the VPN services) and yet I can traceroute to
>and receive packets from the VPN addresses.

This does seem to be a bit of a hole in the scheme of things, but at least
none of a VPN's traffic will ever go past other customers' hosts. Thus your
data cannot be sniffed (except by the ISP themselves), which was one of the
original points (IIRC), and potential attacks are somewhat limited.

Ian


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.

More information about the General mailing list