Re: Subtle Info Leak of the Year...

Mon, 30 Nov 2009 20:42:31 -0800

The MAC address of the router must be visible on the upstream link, or the router is useless. Isn't that the only information that is being leaked? The router is only trying to prevent pinging of boxes _behind_ the firewall. As a side effect, you can't ping the router. 

John Carter wrote:

We're mucking about with openwrt routers and we stumbled across this
curious scenario...


We couldn't ping the router yet we could see the ethernet mac address
in the arp cache.

Clear the address out of the cache, check it's not there, ping, the
ping fails, check the arp cache, and lo, the mac address is there
again!

The critical clue was the router could ping the PC.


Solution?

The router has a fairly fancy firewall thingy that was rejecting the
incoming ICMP ip packet, but the arp is handled at the ethernet MAC
layer _below_ the ip layer.

Hence the subject line... subtle info leak of the year.

Firewalls leak tiny bits of info at the mac level, even if they
reject everything at the IP level.



John Carter                             Phone : (64)(3) 358 6639
Tait Electronics                        Fax   : (64)(3) 359 4632
PO Box 1645 Christchurch                Email : john.car...@tait.co.nz
New Zealand


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.

For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.

For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________



=======================================================================
This email, including any attachments, is only for the intended
addressee.  It is subject to copyright, is confidential and may be
the subject of legal or other privilege, none of which is waived or
lost by reason of this transmission.
If the receiver is not the intended addressee, please accept our
apologies, notify us by return, delete all copies and perform no
other act on the email.
Unfortunately, we cannot warrant that the email has not been
altered or corrupted during transmission.
=======================================================================























					Reply via email to