Re: ignored redirects

To: debian-security@lists.debian.org
Subject: Re: ignored redirects
From: Stephen Gran <sgran@debian.org>
Date: Fri, 3 Nov 2006 12:38:01 +0000
Message-id: <[🔎] 20061103123801.GA7495@www.lobefin.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20061103120029.GA28259@piper.madduck.net>
References: <[🔎] 20061103101322.GA27246@piper.madduck.net> <[🔎] 20061103112713.GA22792@www.lobefin.net> <[🔎] 20061103113514.GA23984@piper.madduck.net> <[🔎] 20061103114653.GA983@www.lobefin.net> <[🔎] 20061103120029.GA28259@piper.madduck.net>

This one time, at band camp, martin f krafft said:
> also sprach Stephen Gran <sgran@debian.org> [2006.11.03.1246 +0100]:
> > I see them at one installation at work.  There, the gateway is
> > 10.103.4.3 or something, but some machines have their gateway
> > still set to the old router, 10.103.4.1.  When packets arrive at
> > .1 for an internet site, .1 sends an icmp redirect to tell them to
> > use .3 instead, and they do.  This is correct behavior by all
> > parties.  It's some wasted network traffic, and we're cleaning it
> > up as we notice it, but it's harmless overall.
> 
> Doesn't this also mean that I could plug into this network and send
> redirects for 10.103.4.3 to .251 (which is my machine) and snoop in
> on traffic that way? ICMP is, after all, datagram-based.

I don't think it's trivial, but it's certainly possible.  You would have
to construct an icmp packet that looked in every way like it came from .1
as part of the current conversation.  It would be heavily timing dependant
as well.  Given that it's a switched network, you would be working pretty
much blindly to try this attack.  None of that says it can't be done,
but it puts it up there with other fairly sophisticated network attacks,
and not something I am worrying about in general on the LAN in question.

> Granted, I could do the same with ARP spoofs anyway, but arpwatch
> would detect those. Short of a complete snort install, I doubt
> people check ICMP redirects on their networks.
> 
> Stephen, could you forward me the relevant log messages from your
> work gateway so that I can make sure to properly draft the logcheck
> filters?

I'll see if I can dig some up.  As I said, we have been cleaning up as
we notice them, so I'm not sure if this is happening much these days.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- ignored redirects
  - From: martin f krafft <madduck@debian.org>
- Re: ignored redirects
  - From: Stephen Gran <sgran@debian.org>
- Re: ignored redirects
  - From: martin f krafft <madduck@debian.org>
- Re: ignored redirects
  - From: Stephen Gran <sgran@debian.org>
- Re: ignored redirects
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: ignored redirects
Next by Date: Re: [DSA 1205-1] New thttpd packages fix insecure temporary file creation
Previous by thread: Re: ignored redirects
Next by thread: Re: [DSA 1205-1] New thttpd packages fix insecure temporary file creation
Index(es):
- Date
- Thread