[derpherpsson]

Correct me if I am wrong, but...

If I just make sure that incomming packets that are destined for the VPN LAN are dropped, this attack does not work?

Of course there are such rules in our firewalls??

Is everyone walking around without any firewall filtering nowadays? How is this a bug? Maybe I am just stupid. Did I miss something?

[rasz]

TCP/IP stack was dropping this by default .. until systemd decided to switch the default https://news.ycombinator.com/item?id=21713479

[yrro]

The default behaviour of the kernel is no rp filtering at all. Older versions of systems enabled strict to filtering, no doubt causing the same sort of complaints from people who like to complain about that sort of thing. Newer versions relaxed this to loose rp filtering for the reasons explained in the commit message.