Re: Watcher page moved (and ObBug)

[smb () research att com (smb () research att com)]

         Interesting questions are:

         1) should TCP check the sequence number to avoid RST bombs?

Not only should but must, and I think does; see RFC 793.

         2) Should it check the sequence number to block ICMP redirect
         bombs?

Absolutely.

         3) Should it check the MAC source address of ICMP redirects
         against the ARP table entry of the sender?

Don't bother; the attacker is probably coming through your legitimate
router.

         4) Should routers discard received redirects that aren't
         addressed to the router?

Routers should always ignore Redirects.  RFC 1009 permits them to listen,
but this is a bad idea -- routers run routing protocols, and hence don't
need such primitive methods to learn the proper path.  RFC 1716, which
is a step towards a likely replacement for 1009, says this:

         A router using a routing protocol (other than static routes)
         MUST NOT consider paths learned from ICMP Redirects when
         forwarding a packet.  If a router is not using a routing
         protocol, a router MAY have a configuration which, if set,
         allows the router to consider routes learned via ICMP Redirects
         when forwarding packets.

         DISCUSSION:
            ICMP Redirect is a mechanism for routers to convey routing
            information to hosts.  Routers use other mechanisms to learn
            routing information, and therefore have no reason to obey
            redirects.  Believing a redirect which contradicted the
            router's other information would likely create routing
            loops.

            On the other hand, when a router is not acting as a router,
            it MUST comply with the behavior required of a host.