Re: Could an ICMP Redirect have disconnected my server?

From: SiO <ask@xxxxxx>
Date: Wed, 29 Aug 2007 21:16:03 -0400

ljb wrote:

First, my questions, then explanation. Any help would be appreciated.

Does Linux (2.4.x) act on ICMP Redirect packets by default?
If so, can an ICMP Redirect override a static default route?
If so, does a routing table entry from an ICMP Redirect time out?

I have this Linux server that went mostly off-line suddenly today,
disconnecting a number of database users and such. The server is on an
intranet, private static IP address and one default route to a internal
router. (The only odd thing is that there are multiple logical subnets on
the same physical subnet.) When it dropped all those connections, it was
still reachable from, and could still reach, systems with the same subnet
number. Unfortunately, I didn't realize that at the time - I found two
systems that could still reach it, but I didn't make the subnet connection.
So I didn't check the routing table until later. About 90 minutes after it
dropped off, it came back up; nobody did anything to it - it just started
taking to the network normally again.

Trying to figure out what happened, I was wondering if a 'rogue' ICMP
redirect could cause this. Is this possible?

Hi,

From my personnal LAB experience I did a few weeks ago, I found out that my Linux box (FC6) did not accept ICMP Redirect by default (My WinXP did tought).

And there is a timeout on learned routes via ICMP redirect, it is 10 minutes.

From the testing I did in lab, forging packets, I was only able to send ICMP REDIRECTS for HOSTs only, not complete subnets (but that is from limited experience, maybe it feasable, but I was not able to). If you prefer, I could only send ICMP REDIRECT for routes with a /32 Mask, a host.

Hope this helps in anyway.

PS: If you wanna try to reproduce the problem, try using linux Excalubur Packet forger, Works good, nice study tool.
.

Prev by Date: Re: How can ethernet card get multiple IP from DHCP server ?
Next by Date: Re: linux does not auto detect monitor type
Previous by thread: Lab Technician (Wireless Technologies)- Contract/Perm position
Next by thread: Re: Could an ICMP Redirect have disconnected my server?
Index(es):
- Date
- Thread

Relevant Pages

Re: IPCHAINS, NAT and transparent proxy? - special application.
... > I'm trying to get my linux box (2.2.20, one network card) to act as a ... > A will send its packet to the linux box "C" and C ... > deny icmp redirect. ...
(comp.os.linux.security)
Re: ICMP Redirect Help
... To be more clear, sounds to me like your hosts are attempting the connections, the ICMP redirects you are seeing are your router saying "go here instead", which should add a route of this other router in your host's routing table. ... If a machine's default gateway knows of a route that is on the same network you sourced from, it will ICMP redirect the workstation there instead of being a 1-armed router, it sends an ICMP packet to the source effectively placing a route in the source's route table for that other path, circumventing the default gateway from that point forward when talking to that distant target. ... You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. ...
(Security-Basics)
Re: ICMP Redirect Help
... If a machine's default gateway knows of a route that is on the same network you sourced from, it will ICMP redirect the workstation there instead of being a 1-armed router, it sends an ICMP packet to the source effectively placing a route in the source's route table for that other path, circumventing the default gateway from that point forward when talking to that distant target. ... exchange server, ...
(Security-Basics)
Re: Linux IP router doesnt route
... > from one subnet to the other. ... > Here's the routing table: ... > Anybody have any idea why my Linux router doesn't route? ...
(comp.os.linux.networking)
Re: ICMP route test
... Route gateway address on an ICMP Redirect. ... Linux User #405757 ... Security Trends Report from Cenzic ...
(Pen-Test)