Additionally things are different depending whether the attacker is
local or remote. If an attacker can clearly see/manipulate your local
network then its very hard to do much to stop him - you may be able to
detect, and some attacks would require him to knock out legitimate
hosts which tends to be noticeable, but prevention will be tricky.
If the attacker is remote, and you control and have processing power on
your edge routers, then you can pretty much kill ip spoofing of local
hosts by filtering all incoming traffic such that internally address
traffic must come from inside the network and not be sent out of the
network. Source routing and some other IP options should be killed as
a matter of course.
Single ended ip spoofing of things outside your network can be done if
TCP sequence prediction is possible. This depends on your OS release -
ie old BSDs and old Linux are easy to predict, recent Linux is near
impossible.
If the attacker has access to network infrastructure at the remote end
or the intermediate routers then a far more effective (and simple)
spoofing attack can be done. The only reasonable solution for this
sort of thing is authenticated connections using a cryptographically
secure method - one of the IPSEC type solutions or the sort of thing
done within ssh or SSL is one means.
Nigel.
--
[ Nigel Metheringham Nigel.Metheringham@??? ]
[ Phone: +44 1423 850000 Fax +44 1423 858866 ]
--
*** Exim information can be found at
http://www.exim.org/ ***
