Is interface spoofing possible?



  • One commonly used iptables rule for Linux servers is this:

    # iptables -A INPUT -i lo -j ACCEPT
    

    Can we assume that this rule will only accept traffic which is sent from the local machine?

    Is it possible for a remote attacker to craft a packet that says "I arrived through the loopback interface", even if the packet arrived via a physical ethernet port?



  • An interface is a property of the current system and not a property of the transferred data. Therefore there are no information in the packet which allow to specify the interface which should be used by the receiver or which should be shown as used by the receiver (i.e. different interface shown as actually used).

    This does not mean though that an attacker could not indirectly cause malicious traffic originating at the loopback interface. For example an external web page loaded inside the browser on a machine is able to create network connections to 127.0.0.1 or ::1, which then originate at the loopback interface.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2