[19516] in bugtraq
Re: Loopback and multi-homed routing flaw in TCP/IP stack.
daemon@ATHENA.MIT.EDU (Lars Mathiesen)
Tue Mar 6 16:45:11 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <1010306114838.ZM6221@fafnir>
Date: Tue, 6 Mar 2001 11:48:37 +0000
Reply-To: Lars Mathiesen <syl@ECMWF.INT>
From: Lars Mathiesen <syl@ECMWF.INT>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Neil W Rickert <rickert+bt@CS.NIU.EDU> "Re: Loopback and
multi-homed routing flaw in TCP/IP stack." (Mar 5, 20:07)
On Mar 5, 20:07, Neil W Rickert wrote:
> I am surprised to see this described as a flaw. It is behavior I
> have been relying on for some time. Specifically, on my client
> machines, I add a route to the alternate interface of my servers via
> the direct interface of the same server. This allows direct
> connection to the server without relying on a router, regardless of
> which IP address is used for the service. For NFS clients, I
> consider it important to be able to do this.
We use a similar trick to provide failover between internal LANs for
our servers: Every functioning interface announces the 'well-known'
server address via a routing protocol, and the clients either run gated
or rely on a router to pick the best route that they see an
announcement for.
> If there is a flaw, it is surely in the thinking of people who
> mistakenly assumed that multi-homed systems would not behave so as to
> allow this.
I concur totally. Back when I designed security solutions (admittedly
high end) for a living, best practice was that any system with a reason
to distinguish its interfaces must have the less secure one on a
dedicated LAN segment to a real router with antispoofing filters in
place. And that includes commercial firewalls.
(Of course a firewall should by default discard packets arriving at the
wrong interface, but better safe than sorry).
The farm of misconfigured NT web servers should be on a different LAN
interface on the router, so rooting one won't enable an attacker to
install password sniffers or send malformed or misrouted packets to the
firewall/ mail gateway/ whatever.
--
Lars.Mathiesen@ecmwf.int
ECMWF, Shinfield Park,
Reading, Berks.
RG2 9AX England
