Whack-On-Lan

[me-5yx05kfkO/aqeI1yJSURBw at public.gmane.org (Matthew Gillen)]

Bill Ricker wrote:
> ANYONE who can route a packet to your server via your NAT address and
> guess (or iterate) your  NIC MAC can reboot your server. Since the
> manufacturer and model number are encoded in the MAC, there are far
> fewer than 48 secret bits. Maybe this and and attacker who finds this
> thread googling for Business and Whack on lan and then googling for
> your customer is comfortable but i would be leery.
> 
> Why is it ok for the authors then? The one dollar solution is cost
> effective if a grad student (or salaried tech with slack time) makes a
> couple hundred assembly-line style and installs them in an S/HPC
> Cluster as it's built.  An assembly line supervised by a professor of
> EE will be producing good solder joints with good mechanicals. Since
> the cluster compute nodes are typically on a private, non-routable LAN
> segment, there is NO security concern, as only the head node can Whack
> them.

Close.  In the specific case of these authors, each of their nodes has 5 NICs,
one of which is dedicated to the "Control net" (the other 4 are
experimenter-controlled).  The control net is actually public/routable.  My
guess is that they use a firewall to block the whack packets from "out there",
since the only machine that should be issuing them is a control node on the
local LAN.

That's still not a good answer for Chris though, since he specifically wants
to issue the 'whack packet' from a non-local machine (ie outside the
firewall), and source IP addresses can be easily spoofed (e.g. if you tried to
do an IP-based firewall rule to allow those packets from certain machines).
An authenticated port-knocking scheme on the firewall could work though
(supposing you've got a firewall that is a separate machine and it's iptables
or ipfw based, this might do the trick:
http://www.cipherdyne.org/fwknop/
)

Matt