Re: Access to the Internic Blocked

[Vadim Antonov <avg () quake net>]

Curtis wrote:

> I've said many times that if security in your network is weak enough
> that you need to worry about LSRR packets you need to worry about
> security in your network.

Not at all.  LSRR is a nice tool to mount practically untraceable
flooding attack (hint -- just forge source address and spread
intermediate points evenly across the network).  Shutting you
down may be exactly what the attacker wants.

(LSRR attacks against service providers are particlularly bad --
just imagine somebody flooding you at T-1 speed and bouncing
packets back and forth two dozen times.  Poof -- here goes the
T-3 :)

There are particularly nasty man-in-the-middle attacks (which
defeat one-time-password login authentication, like that) if you
can combine LSRR with bogus routing.

> The minute someone unpacks a Sun workstation, configures an IP address
> and sticks it on the ethernet without installing the security patches
> and doing the administrative work needed to secure the machine, if you
> had a small hole in your security with LSRR, you now have a gaping
> hole in your security.  If you are relying on blocking LSRR, your
> security is a weak as the most peerly administered machine on your
> network.  A real bad thing if you are constantly hiring.

I never argued that blocking LSRR plugs all security holes.  However
it is one thing _not_ used in normal operations; and everything not
used _must_ be shut down by a prudent security.  And, again, there
are several LSRR-based attacks.

> Even so, if anywhere, where you want LSRR turned off is the border
> router(s) in front of the machines used for operations, network
> management, etc.

> Obviously you want your network to be secure even if
> LSRR was enabled for the reason I cited above.

Security Rule #1:  You're never secure.   Turning LSRR off doesn't
particularly hurt connectivity, and is cheap.  It's a way to _improve_
security.

--vadim
- - - - - - - - - - - - - - - - -