Slashdot Mirror

← Back to Stories (view on slashdot.org)

Skip The IP Address

Posted by Hemos on from the who-needs-'em dept.

j0hnyb1423 writes "Have you ever wanted to be able to connect to that stackless Snort or Hogwash box without walking over to it and plugging in a monitor and keyboard? Well, at last here's your answer - noiptun. Yes, it requires an IP stack to be compiled into the kernel but no IP addresses necessary on the real interface(s). And if stealth IDS setups aren't your bag, then you can at least use it to browse /. without having an IP bound to your linux workstation."

24 comments

  1. Is it just me.. by mivok · · Score: 3, Insightful

    or does this sort of defeat the whole point of having a box that you can't connect to over the network in the first place? Whats to stop an attacker connecting through the tunnel to the noip'd box?

    1. Re:Is it just me.. by Spoing · · Score: 1
      1. or does this sort of defeat the whole point of having a box that you can't connect to over the network in the first place? Whats to stop an attacker connecting through the tunnel to the noip'd box?

      It's an encrypted, secure, service. Says so on the first page.

      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
    2. Re:Is it just me.. by Anonymous Coward · · Score: 0

      Do you really think that the script kiddies can compile this noiptun progam? They are stupid you know.

    3. Re:Is it just me.. by hbackert · · Score: 4, Informative

      Whats to stop an attacker connecting through the tunnel to the noip'd box?

      The box itself will stop such traffic (only if it's a known exploit though). The bad traffic usually comes from outside. The management and this tunnel is supposed to connect from the internal network. The problem with such bridging boxes is, they either don't have an IP address and are only administratable via the console or configurable via booting/floppy/CD, or they have another interface with a secure network to administer. Switches usually have a dedicated network for their administration. In the latter case, the box has an IP address. In all cases, administration is not supposed to be done via an in-band network connection.

      The whole point of this noiptun is to get rid of this extra interface which is usually needed to do some kind of administration.

    4. Re:Is it just me.. by Spoing · · Score: 1

      Before someone makes a comment on "how do you know it's secure" I don't. I'm just relaying what shows up on the link within the first couple paragraphs.

      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
    5. Re:Is it just me.. by Spoing · · Score: 0, Offtopic

      Nevermind. I'm a moron.

      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
    6. Re:Is it just me.. by Anonymous Coward · · Score: 3, Funny
      Nevermind. I'm a moron.

      How do you know?

    7. Re:Is it just me.. by mivok · · Score: 1

      Ah.. I was under the impression that this would allow you to connect to a box that just listens on the network and acts as a logging machine, which would have just one interface without an ip address, and a console connection for administration - the benefit of not having an ip is there is no way for an attacker to connect remotely and modify the logs.

      But I can see the use now.. methinks I may need to reread the article

    8. Re:Is it just me.. by SlashSpam · · Score: 2, Informative

      From the README of Noiptun:

      If you've been paying careful attention you will have noticed that there has been no mention of any mechanism to prevent the traffic from continuing on to its intended destination, i.e. the IP address the server was using to route the traffic to the client machine. The answer is that noiptun has no way to handle this issue and it must be dealt with through other means if deemed important enough. Some of the ways this can be solved is by creating an appopriate Hogwash or inline Snort rule to drop the traffic, using firewall rules to filter the traffic is also possible. Please note however that noiptun makes no attempt to deal with this issue whatsoever and it's up to you to make sure the traffic is dropped and doesn't waste unnecessary bandwidth.
      /Spam .
    9. Re:Is it just me.. by Anonymous Coward · · Score: 2, Interesting
      Is it just me.. or does this sort of defeat the whole point of having a box that you can't connect to over the network in the first place?

      I agree, but for a different reason. This box has an IP address. It uses one, so it has an IP address. Any other definition is pointless. What it doesn't have is an IP stack, which the story gets right. Only the title says it has no IP address.

    10. Re:Is it just me.. by Random832 · · Score: 1
      Noiptun is a client-server based application that allows secure communication with computers that do not have an IP address.
      the story itself also says that an ip _stack_ is required, but no _address_... you are the one who has it backwards
      --
      We've secretly replaced Slashdot with new Folgers Crystals - let's see if it notices.
  2. Your computer.... by Anonymous Coward · · Score: 4, Funny

    is NOT broadcasting an IP address. You're safe, please move along.

  3. Ummm.... VLANS... by MegaHamsterX · · Score: 2, Informative

    I haven't has a problem with VLANS in linux.
    Since all the addresses on the internal VLAN are non-routable you'd need a box with an external public ip address with one of the VLANS built to it from the switch as well as the internal VLAN to make a compromise, this should never happen.

    This seems kinda like a rigged situation, if you have an IDS you probably also have switches which support VLANS.

    1. Re:Ummm.... VLANS... by quantum+bit · · Score: 1

      ...or just inject some 802.1q tagged packets with the VLAN number set to whatever you want.

  4. It's backwards client server by Animats · · Score: 2, Insightful
    That's an amusing approach.

    The author must be a X-windows fanatic. He uses the terms "client" and "server" backwards. The end that sits there passively waiting for someone to connect is called the "client", and the end you run when you want to talk is called the "server".

    Note that the "client" opens an Ethernet interface in promiscuous mode, so if you put this on a machine on a busy network, it's going to spend most of its time discarding packets.

    Send this guy a roll of duct tape.

    1. Re:It's backwards client server by j0hnyb1423 · · Score: 4, Informative

      the machine running the client is usually assumed to be running on a bridge interface with no IP of its own. As such it won't be discarding any packets. As far as the naming scheme for client/server, there is actually a good reason why the IP-less side is running the client while the end connecting to it is called the server. When the project began, the idea was to be able to use one "server" to connect to many clients, this functionality isn't currently there and there is at the moment only a one-to-one possible relationship, but the naming scheme makes sense viewed from that angle.

    2. Re:It's backwards client server by ivan256 · · Score: 5, Informative

      What?

      The end that sits there passively waiting for someone to connect is called the "client", and the end you run when you want to talk is called the "server".

      That's not how X works, nor is the terminology backwards. In X, the resource that's being served is the terminal (the display and input devices). The server sits around waiting for the clients (applications) to connect to it.

      The problem is that you think server means remote and client means local, and that's just wrong; it's actually about who is providing resources and who is consuming them.

    3. Re:It's backwards client server by Anonymous Coward · · Score: 0

      Heh. I remember when I first learned X, someone said to me "client and server are back to front in X terminology". Confused me for over an hour - MY initial assumption gelled with X usage, because it made logical sense. So I "corrected" my initial assumption (thanks, idiot tutor!), and then had to recorrect it.

  5. arp -s anybody? by teqo · · Score: 1
    Uhmm... I might be wrong, but what about using the arp command option -s to permanently attach an ARP address to some (made up) IP address? In effect, this allows for reaching that host without specific IP address as well...

    What does noiptun add in functionality to this, what have I missed?

    1. Re:arp -s anybody? by j0hnyb1423 · · Score: 1

      apr -s is another way to go, what noiptun provides however is the ability to connect to boxes across the internet, not just on the local network. Plus it can encrypt the traffic, so it gives arguably more security.

    2. Re:arp -s anybody? by teqo · · Score: 2, Insightful
      Re-reading the documents available on the noiptun site, it seems that you need some kind of IP-addressable machine that works as a proxy to reach the actual noiptun'ed box bearing no IP address, in case you want to connect from outside the same network segment (speaking of layer 2 here), because ARP will not be routed... If I understood this correct, this in fact is nothing a permanent arp'ing machine couldn't do, maybe it would feel a bit less convenient when using arp -s proxies, though. Which is not the fault of noiptun itself...

      Then, if I can connect to a machine using arp -s (maybe throught some alike proxy), I can use whatever protocol I want, including SSL, SSH etc.

      I don't want to diss the noiptun people, every idea being made reality has some value for somebody, and I guess this will be of some use for hidden snort users... But in fact, I am not as excited as some others among the /. croud, because it just does not feel as rocket-science-ish for me as the headline suggests...

    3. Re:arp -s anybody? by j0hnyb1423 · · Score: 2, Informative

      I think my previous response gave the impression that noiptun and arp -s are in fact functionally similar. In fact, arp -s will NOT let you connect to a machine without an IP address. It will let you send packets to it, but the machine will not process them since the IP you're sending the packets to does not exist there.

  6. I(P) 4.1... by Anonymous Coward · · Score: 0

    Welcome our new IP-less computerized overlords!! Their lack of keyboard and monitor makes them so superior to us, puny humans...

  7. Oh great! by Skapare · · Score: 1

    Oh great! Now I won't be able to track down what open relay was used to send me spam.

    --
    now we need to go OSS in diesel cars