Security Basics mailing list archives
RE: Defualt ip address out
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 14 Aug 2003 10:19:04 -0700
(As you can see, I had some trouble reading your message beyond the first line or two...) I recently had to dig into a case where the default route on a router was changing "by itself". The problem wasn't really with that router, but with one of its neighbors (a Cisco box), and an interaction between a couple of configuration options and some traffic we were receiving. The first problem was with this config: no ip redirects which was missing from our interface configurations. Without this, if the router received any traffic that it routed back out the same interface, it would send an "ICMP redirect" message to the neighbour. The neighbour, seeing that a packet it forwarded elicited a redirect, updated the route table entry it had used, which in this case was the default. The second problem was ip classless Looks harmless enough, but it means that any traffic to parts of our overall block for which we don't have a route will get forwarded to the default. (If we'd had "no ip classless", packets to our block without a route would be dropped.) (Note that the default gateway would see that the destination was within our address block, and hand it right back, back and forth until the packet's TTL expired. The changing default route was not really the only bad side effect!) This is what was causing some "inbound" packets to get redirected to the outbound default gateway. The fix for this was to add a static summary route black-holing anything not handled by a more explicit route. This all had appeared to work fine, until anything scanned our entire address space. Sooner or later, one of the scan packets would be trying for an unpopulated subnet, and that would trigger the redirect. David Gillett
-----Original Message----- From: Kenneth Hauklien [mailto:boomy () boomdrak no] Sent: August 14, 2003 02:55 To: security-basics () securityfocus com Subject: Defualt ip address out Hi. On my machine lately the outgoing default ip has changed from 2 to 3. Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface localnet * 255.255.255.0 U 0 0 0 eth0 default mikke-gw.kvalit 0.0.0.0 UG 0 0 0 eth0 root@login:~/hpbnc# ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:50:04:20:E7:57 inet addr:213.151.136.2 Bcast:213.151.136.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:144735586 errors:0 dropped:0 overruns:0 frame:0 TX packets:156653019 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1134180310 (1.0 GiB) TX bytes:1890855543 (1.7 GiB) Interrupt:16 Base address:0xbc00 root@login:~/hpbnc# ifconfig eth0:1 eth0:1 Link encap:Ethernet HWaddr 00:50:04:20:E7:57 inet addr:213.151.136.3 Bcast:213.151.136.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:16 Base address:0xbc00 root@login:~/hpbnc# lynx http://echo.boomdrak.no (access.log from the server) 213.151.136.3 - - [14/Aug/2003:11:58:14 +0200] "GET / HTTP/1.0" 200 4110 "- " "Lynx/2.8.4rel.1 libwww-FM/2.14" And i get the same errors when i for example ssh out on a other machine, same with irc and the rest. Does anyone know why this is? and how to change it? Best regards Kenneth Hauklien -------------------------------------------------------------- ------------- -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Defualt ip address out Kenneth Hauklien (Aug 14)
- RE: Defualt ip address out David Gillett (Aug 14)
- Re: Defualt ip address out John R. Morris (Aug 14)