[1372] in bugtraq
Re: Watcher page moved (and ObBug)
daemon@ATHENA.MIT.EDU (smb@research.att.com)
Sat Apr 1 09:51:54 1995
From: smb@research.att.com
To: Tom Fitzgerald <fitz@wang.com>
Cc: mcn@engarde.com (Mike Neuman), bugtraq@fc.net
Date: Sat, 01 Apr 95 08:05:21 EST
Interesting questions are:
1) should TCP check the sequence number to avoid RST bombs?
Not only should but must, and I think does; see RFC 793.
2) Should it check the sequence number to block ICMP redirect
bombs?
Absolutely.
3) Should it check the MAC source address of ICMP redirects
against the ARP table entry of the sender?
Don't bother; the attacker is probably coming through your legitimate
router.
4) Should routers discard received redirects that aren't
addressed to the router?
Routers should always ignore Redirects. RFC 1009 permits them to listen,
but this is a bad idea -- routers run routing protocols, and hence don't
need such primitive methods to learn the proper path. RFC 1716, which
is a step towards a likely replacement for 1009, says this:
A router using a routing protocol (other than static routes)
MUST NOT consider paths learned from ICMP Redirects when
forwarding a packet. If a router is not using a routing
protocol, a router MAY have a configuration which, if set,
allows the router to consider routes learned via ICMP Redirects
when forwarding packets.
DISCUSSION:
ICMP Redirect is a mechanism for routers to convey routing
information to hosts. Routers use other mechanisms to learn
routing information, and therefore have no reason to obey
redirects. Believing a redirect which contradicted the
router's other information would likely create routing
loops.
On the other hand, when a router is not acting as a router,
it MUST comply with the behavior required of a host.
